CVE-2025-26125

HIGH EXPLOITED RANSOMWARE

IObit Malware Fighter <12.1.0 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-26125 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns. EIP tracks 1 public exploit from researchers including ZeroMemoryEx.

AI-analyzed exploit summary This PoC exploits a vulnerability in IOBit software (CVE-2025-26125) by leveraging arbitrary file/folder deletion via a device IO control call. It demonstrates privilege escalation by manipulating the Windows Installer directory structure and registry keys.

Description

An exposed ioctl in the IMFForceDelete driver of IObit Malware Fighter v12.1.0 allows attackers to arbitrarily delete files and escalate privileges.

Exploits (1)

nomisec WORKING POC 166 stars
by ZeroMemoryEx · local
https://github.com/ZeroMemoryEx/CVE-2025-26125

This PoC exploits a vulnerability in IOBit software (CVE-2025-26125) by leveraging arbitrary file/folder deletion via a device IO control call. It demonstrates privilege escalation by manipulating the Windows Installer directory structure and registry keys.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: IOBit software (specific version not specified)
No auth needed
Prerequisites: IOBit software installed · Access to the system to run the PoC
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.3
EPSS 0.0010
EPSS Percentile 28.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

VulnCheck KEV 2026-02-26
Ransomware Use Confirmed
CWE
CWE-782
Status published
Published Mar 17, 2025
Tracked Since Feb 18, 2026