CVE-2025-68947

MEDIUM EXPLOITED RANSOMWARE

NSecsoft 'NSecKrnl' - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2025-68947 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns.

Description

NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes by issuing crafted IOCTL requests to the driver.

References (5)

Core 5

Core References

Various Sources technical-description

https://www.virustotal.com/gui/file/206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261

Various Sources exploit technical-description

https://hexastrike.com/resources/blog/threat-intelligence/valleyrat-exploiting-byovd-to-kill-endpoint-security/

Various Sources exploit

https://github.com/ANYLNK/NSecSoftBYOVD

View Writeup ZIP pw:eip

Various Sources vdb-entry

https://www.cve.org/CVERecord?id=CVE-2025-68947

Various Sources government-resource third-party-advisory

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-013-01.json

Scores

CVSS v3 4.7

EPSS 0.0012

EPSS Percentile 1.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

VulnCheck KEV 2026-02-05

Ransomware Use Confirmed

CWE

CWE-862

Status published

Products (1)

NSecsoft/NSecKrnl

Published Jan 13, 2026

Tracked Since Feb 18, 2026