CVE-2025-7771

Name of the Vulnerable Software and Affected Versions ThrottleStop.sys version 3.0.0.0 ThrottleStop.sys (affected versions not specified)

Description The ThrottleStop.sys driver contains an insecure implementation of the MmMapIoSpace() function, which exposes two IOCTL interfaces allowing arbitrary read and write access to physical memory. This allows a local user-mode application to patch the running Windows kernel and invoke arbitrary kernel functions with ring-0 privileges (the highest level of privilege in the Windows architecture). Attackers can use this to execute arbitrary code in the kernel context, leading to privilege escalation and the ability to bypass kernel-level protections or disable security software.

Real-world exploitation has been observed in BYOVD (Bring Your Own Vulnerable Driver) attacks. Malware known as AV Killer and Gentlemen ransomware have used this issue to terminate antivirus and EDR processes, including Windows Defender, CrowdStrike, and BitDefender, to facilitate the deployment of MedusaLocker ransomware. These attacks have specifically targeted organizations in Russia, Belarus, Ukraine, Kazakhstan, and Brazil.

Technical details include the use of IOCTL 0x8000649C to overwrite kernel instructions, such as those in the NtAddAtom() function, with shellcode. The malware may also use the NtQuerySystemInformation() function to identify active security processes.

Recommendations Update ThrottleStop.sys to the latest security update provided by TechPowerUp. Disable public RDP access. Implement multi-factor authentication (MFA). Apply strict access controls and network segmentation.