CVE-2022-25949

HIGH

KINGSOFT Internet Security 9 Plus 2010.06.23.247 - Stack-based Buffer Overflow in kwatch3 Kernel Driver

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-25949. PoCs published by tandasat.

AI-analyzed exploit summary This is a functional exploit for CVE-2022-25949, targeting a local privilege escalation vulnerability in Kingsoft Antivirus KWatch Driver (KWatch3.sys) version 2009.3.17.77. The exploit uses a token-stealing shellcode to escalate privileges to SYSTEM.

Description

The kernel mode driver kwatch3 of KINGSOFT Internet Security 9 Plus Version 2010.06.23.247 fails to properly handle crafted inputs, leading to stack-based buffer overflow.

Exploits (1)

nomisec WORKING POC 38 stars
by tandasat · poc
https://github.com/tandasat/CVE-2022-25949

This is a functional exploit for CVE-2022-25949, targeting a local privilege escalation vulnerability in Kingsoft Antivirus KWatch Driver (KWatch3.sys) version 2009.3.17.77. The exploit uses a token-stealing shellcode to escalate privileges to SYSTEM.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Kingsoft Internet Security 9 Plus (KWatch3.sys 2009.3.17.77)
No auth needed
Prerequisites: Kingsoft Antivirus KWatch Driver version 2009.3.17.77 must be installed · Local access to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Vendor Advisory x_refsource_confirm
https://support.kingsoft.jp/support-info/weakness.html
Third Party Advisory third-party-advisory x_refsource_jvn
https://jvn.jp/en/jp/JVN21234459/

Scores

CVSS v3 7.8
EPSS 0.0074
EPSS Percentile 50.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-121 CWE-787
Status published
Products (1)
kingsoft/internet_security_9_plus 2010.06.23.247
Published Mar 17, 2022
Tracked Since Feb 18, 2026