CVE-2025-7771

ThrottleStop — MSR write primitive abused as AV/EDR killer

Summary

Field	Value
Driver	ThrottleStop.sys
Vendor	ThrottleStop (Kevin Glynn)
Vulnerability Class	Arbitrary R/W / MSR Write
Abused Version	9.6 and earlier
Status	Blocklisted — added to Microsoft Vulnerable Driver Blocklist
Exploited ITW	Yes

BYOVD Context

• Driver signing: Authenticode-signed with valid certificate
• Vulnerable Driver Blocklist: Included in Microsoft's recommended driver block rules (added 2025)
• HVCI behavior: Blocked on HVCI-enabled systems via the blocklist
• KDU integration: Not integrated
• LOLDrivers: Listed at loldrivers.io

Affected IOCTLs

• MSR write (WRMSR) with user-controlled register index and value
• MSR read (RDMSR)

Root Cause

ThrottleStop.sys is the kernel driver for ThrottleStop, a CPU throttling monitoring and adjustment utility. The driver exposes IOCTLs for reading and writing Model-Specific Registers (MSRs), which are required for CPU frequency and voltage control. The MSR write IOCTL accepts a user-controlled register index and value, executing the WRMSR instruction with those parameters without restricting which MSRs can be written.

Kaspersky's SecureList published a detailed analysis in 2025 documenting how threat actors weaponized this MSR write capability. Rather than using the driver for traditional privilege escalation, attackers used MSR writes to manipulate CPU behavior and disable security software. The attack technique involves writing to specific MSRs that affect interrupt delivery and CPU state, causing AV/EDR agents to crash or become unresponsive.

Exploitation

The ITW exploitation pattern documented by Kaspersky:

1. Attacker deploys ThrottleStop.sys via a dropper
2. Opens a device handle to the ThrottleStop device
3. Uses the MSR write IOCTL to write to performance-related MSRs
4. The MSR writes destabilize the CPU state in a way that causes AV/EDR kernel-mode components to crash or hang
5. With security software disabled, the attacker proceeds with their primary payload (ransomware deployment, data exfiltration)

This represents a novel BYOVD abuse pattern: rather than using kernel R/W for token manipulation, the attacker weaponizes MSR access to disable security software indirectly.

Detection

YARA Rule

rule CVE_2025_7771_ThrottleStop {
    meta:
        description = "Detects ThrottleStop.sys vulnerable driver"
        cve = "CVE-2025-7771"
        author = "KernelSight"
        severity = "critical"
    strings:
        $mz = { 4D 5A }
        $driver_name = "ThrottleStop" wide ascii nocase
        $throttle = "Throttle" wide ascii
    condition:
        $mz at 0 and ($driver_name or $throttle)
}

ETW Indicators

Provider	Event / Signal	Relevance
Microsoft-Windows-Kernel-File	Driver load event	Detects loading of ThrottleStop.sys
Sysmon	Event ID 6 — Driver loaded	Hash and signature capture
Microsoft-Windows-Security-Auditing	Event 4697 — Service installed	Service creation for ThrottleStop driver
Microsoft-Windows-Kernel-Process	Process crash events	AV/EDR process crashes following MSR manipulation

Behavioral Indicators

• Loading of ThrottleStop.sys from a path unrelated to the ThrottleStop utility
• MSR write IOCTLs from processes that are not the ThrottleStop application
• AV/EDR process crashes or hangs temporally correlated with ThrottleStop driver loading
• Subsequent malware deployment after security software failure

References

• Kaspersky SecureList — AV Killer Exploiting ThrottleStop.sys
• LOLDrivers — ThrottleStop