CVE-2025-68947

Name of the Vulnerable Software and Affected Versions NSecsoft 'NSecKrnl' versions (affected versions not specified)

Description The 'NSecKrnl' Windows driver has a flaw that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes. This is achieved by sending crafted Input/Output Control (IOCTL) requests to the driver. The Reynolds ransomware group has been observed leveraging this vulnerability (CVE-2025-68947) as part of a Bring Your Own Vulnerable Driver (BYOVD) attack strategy to disable endpoint detection and response (EDR) and antivirus solutions before encrypting files. The Black Basta ransomware group has also been observed using this vulnerability in a similar manner. The vulnerability fails to properly verify user permissions before executing commands, enabling attackers to bypass security measures at the kernel level. The estimated number of potentially affected devices is not specified.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.