CVE-2025-68947

Name of the Vulnerable Software and Affected Versions NSecsoft NSecKrnl versions prior to January 2026

Description The NSecKrnl Windows driver contains a flaw that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes. This is achieved by sending crafted Input/Output Control (IOCTL) requests to the driver. Multiple ransomware groups, including Reynolds and Black Basta, have been observed leveraging this vulnerability (CVE-2025-68947) as a Bring Your Own Vulnerable Driver (BYOVD) technique to disable endpoint detection and response (EDR) and antivirus solutions before encrypting files. The exploitation of this issue has been observed as early as February 2026. The driver fails to properly verify user permissions before executing commands, enabling the described malicious activity.

Recommendations Update NSecKrnl to a version released after January 2026.