CVE-2025-52915

HIGH

K7RKScan.sys 23.0.0.10 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-52915. PoCs published by BlackSnufkin, diego-tella.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2025-52915, targeting vulnerabilities in K7 Ultimate Security’s `K7RKScan.sys` driver. The PoC supports both LPE (low-privilege abuse) and BYOVD (Bring Your Own Vulnerable Driver) modes, demonstrating process termination via crafted IOCTL calls.

Description

K7RKScan.sys 23.0.0.10, part of the K7 Security Anti-Malware suite, allows an admin-privileged user to send crafted IOCTL requests to terminate processes that are protected through a third-party implementation. This is caused by insufficient caller validation in the driver's IOCTL handler, enabling unauthorized processes to perform those actions in kernel space. Successful exploitation can lead to denial of service by disrupting critical third-party services or applications.

Exploits (2)

nomisec WORKING POC 575 stars

by BlackSnufkin · poc

https://github.com/BlackSnufkin/BYOVD

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2025-52915, targeting vulnerabilities in K7 Ultimate Security’s `K7RKScan.sys` driver. The PoC supports both LPE (low-privilege abuse) and BYOVD (Bring Your Own Vulnerable Driver) modes, demonstrating process termination via crafted IOCTL calls.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: K7 Ultimate Security (K7RKScan.sys versions 15.1.0.6–7 and 23.0.0.10)

No auth needed

Prerequisites: Vulnerable K7RKScan.sys driver file · Local access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1547.001 - Registry Run Keys / Startup Folder

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WORKING POC 10 stars

by diego-tella · cpoc

https://github.com/diego-tella/CVE-2025-1055-poc

View Code ZIP pw:eip

This repository contains a functional PoC exploit for CVE-2025-52915, leveraging the K7RKScan.sys driver's IOCTL 0x222018 to terminate arbitrary processes, demonstrated by killing MsMpEng.exe (Windows Defender). The exploit includes a C program that interacts with the vulnerable driver to achieve local privilege escalation (LPE) by abusing the driver's process termination functionality.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: K7RKScan.sys (K7 Computing Antivirus Driver)

Auth required

Prerequisites: Administrator access to install the vulnerable driver · Presence of the vulnerable K7RKScan.sys driver

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1211 - Exploitation for Defense Evasion

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Various Sources

https://k7computing.com

Various Sources

https://support.k7computing.com/index.php?/solutions/view-article/Advisory-issued-on-2nd-Sep-2025

Scores

CVSS v3 7.2

EPSS 0.0008

EPSS Percentile 24.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-269

Status published

Published Sep 09, 2025

Tracked Since Feb 18, 2026