CVE-2025-7771

Name of the Vulnerable Software and Affected Versions ThrottleStop versions 3.0.0.0 and possibly others ThrottleStop.sys (affected versions not specified)

Description The ThrottleStop.sys driver contains a flaw related to insecure implementation of IOCTL interfaces, specifically with the MmMapIoSpace function, allowing arbitrary read and write access to physical memory. This allows a malicious user-mode application to patch the running Windows kernel and invoke arbitrary kernel functions with ring-0 privileges. Exploitation can lead to privilege escalation, bypassing security software, and potential follow-on attacks like ransomware deployment. A new malware strain, dubbed AV Killer, is actively exploiting this issue (CVE-2025-7771) to disable antivirus solutions, including Defender, Avast, CrowdStrike, and BitDefender, and facilitate the deployment of ransomware such as MedusaLocker. The malware targets systems in Russia, Belarus, Ukraine, and Brazil. The vulnerability allows attackers to kill antivirus processes and obfuscate their activities using fake user accounts. The MmMapIoSpace function is used to gain access to physical memory, enabling manipulation of kernel-level functions from user mode. The AV Killer malware uses the All.exe component to identify and terminate active AV products.

Recommendations Apply updates per vendor instructions for ThrottleStop versions 3.0.0.0 and later. For all other affected versions, apply updates per vendor instructions.