CVE-2025-7771

ThrottleStop.sys -- MSR write primitive repurposed as an AV/EDR killer through CPU state manipulation

Summary

Field	Value
Driver	ThrottleStop.sys
Vendor	ThrottleStop (Kevin Glynn)
Vulnerability Class	Arbitrary R/W / MSR Write
Abused Version	9.6 and earlier
Status	Blocklisted -- added to Microsoft Vulnerable Driver Blocklist
Exploited ITW	Yes

BYOVD Context

• Driver signing: Authenticode-signed with valid certificate
• Vulnerable Driver Blocklist: Included in Microsoft's recommended driver block rules (added 2025)
• HVCI behavior: Blocked on HVCI-enabled systems via the blocklist
• KDU integration: Not integrated
• LOLDrivers: Listed at loldrivers.io

Affected IOCTLs

• MSR write (WRMSR) with user-controlled register index and value
• MSR read (RDMSR)

Context

Most BYOVD drivers are abused for their arbitrary read/write primitives: the attacker reads kernel memory to defeat KASLR, then writes to swap a process token or corrupt a security descriptor. ThrottleStop breaks this pattern. Instead of using the driver's MSR access for direct privilege escalation, threat actors discovered they could use MSR writes to destabilize the CPU in ways that crash security software while leaving the rest of the system functional enough to deploy malware.

ThrottleStop is a legitimate CPU throttling utility used by overclockers and performance enthusiasts. Its kernel driver needs MSR access to read and write CPU frequency, voltage, and thermal registers. The problem is that it does not restrict which MSRs can be written. An attacker with a handle to the device can write to any MSR, including those controlling interrupt delivery, CPU power states, and performance monitoring.

Root Cause

ThrottleStop.sys exposes IOCTLs for reading and writing Model-Specific Registers. The WRMSR IOCTL accepts a user-controlled register index and value, then executes the WRMSR instruction with those parameters. There is no allowlist of safe MSRs. There is no validation of the caller. Any process that can open the device handle can write to any MSR on any logical processor.

Kaspersky's SecureList published the analysis documenting how this capability was weaponized. The technique writes to performance-related MSRs that affect interrupt delivery and CPU scheduling behavior. The result is that kernel-mode components of AV/EDR products crash or become unresponsive, while the system itself remains stable enough for the attacker to complete their operation.

Exploitation

The ITW exploitation pattern documented by Kaspersky follows a distinctive flow that sets it apart from traditional BYOVD attacks.

The attacker deploys ThrottleStop.sys via a dropper and opens a device handle. Rather than reading kernel memory or manipulating tokens, they use the MSR write IOCTL to write to performance-related MSRs. These writes destabilize the CPU state in a targeted way: the changes affect interrupt delivery and scheduling in a manner that causes AV/EDR kernel-mode components to crash or hang. The security software's failure appears as a legitimate crash rather than a termination, making it harder to detect as an attack. With security software disabled, the attacker proceeds with ransomware deployment or data exfiltration.

This is an uncommon BYOVD pattern. Instead of the direct "load driver, kill process" approach seen in viragt64.sys or CVE-2025-68947, the MSR manipulation creates a more subtle failure mode that looks like a software bug rather than an attack.

Detection

YARA Rule

rule CVE_2025_7771_ThrottleStop {
    meta:
        description = "Detects ThrottleStop.sys vulnerable driver"
        cve = "CVE-2025-7771"
        author = "KernelSight"
        severity = "critical"
    strings:
        $mz = { 4D 5A }
        $driver_name = "ThrottleStop" wide ascii nocase
        $throttle = "Throttle" wide ascii
    condition:
        $mz at 0 and ($driver_name or $throttle)
}

ETW Indicators

Provider	Event / Signal	Relevance
Microsoft-Windows-Kernel-File	Driver load event	Detects loading of ThrottleStop.sys
Sysmon	Event ID 6 -- Driver loaded	Hash and signature capture
Microsoft-Windows-Security-Auditing	Event 4697 -- Service installed	Service creation for ThrottleStop driver
Microsoft-Windows-Kernel-Process	Process crash events	AV/EDR process crashes following MSR manipulation

Behavioral Indicators

• Loading of ThrottleStop.sys from a path unrelated to the ThrottleStop utility
• MSR write IOCTLs from processes that are not the ThrottleStop application
• AV/EDR process crashes or hangs temporally correlated with ThrottleStop driver loading
• Subsequent malware deployment after security software failure

Broader Significance

ThrottleStop.sys demonstrates that BYOVD abuse is not limited to memory read/write or process termination. Any sufficiently powerful hardware interface exposed through a signed driver becomes a weapon. MSR access is particularly dangerous because it controls CPU behavior at a level below the operating system's ability to observe or prevent. As blocklists grow to cover the most obvious BYOVD targets, attackers will increasingly look for unconventional primitives like MSR manipulation that achieve the same goal through indirect means.

References

• Kaspersky SecureList -- AV Killer Exploiting ThrottleStop.sys
• LOLDrivers -- ThrottleStop