CVE-2025-70795

MEDIUM EXPLOITED

Safetica STProcessMonitor 11.11.4.0 - Authenticated Denial of Service via IOCTL Handler

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-70795 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including ANYLNK, adminlove520, wutang700.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-70795, targeting a vulnerable driver (STProcessMonitor.sys) to terminate processes without requiring elevated privileges. The exploit interacts with the driver via DeviceIoControl and includes logic for both older and updated driver versions.

Description

STProcessMonitor 11.11.4.0, part of the Safetica Application suite, allows an admin-privileged user to send crafted IOCTL requests to terminate processes that are protected through a third-party implementation. This is caused by insufficient caller validation in the driver's IOCTL handler, enabling unauthorized processes to perform those actions in kernel space. Successful exploitation can lead to denial of service by disrupting critical third-party services or applications. Unauthorized processes load the driver and send a crafted IOCTL request (0xB822200C) to terminate processes protected by a third-party implementation. This action exploits insufficient caller validation in the driver's IOCTL handler, allowing unauthorized processes to perform termination operations in kernel space. Successful exploitation can lead to denial of service by disrupting critical third-party services or applications.

Exploits (3)

nomisec WORKING POC 43 stars
by ANYLNK · local
https://github.com/ANYLNK/STProcessMonitorBYOVD

This repository contains a functional exploit for CVE-2025-70795, targeting a vulnerable driver (STProcessMonitor.sys) to terminate processes without requiring elevated privileges. The exploit interacts with the driver via DeviceIoControl and includes logic for both older and updated driver versions.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: STProcessMonitor.sys (versions 11.11.4.0 and 11.26.18)
No auth needed
Prerequisites: vulnerable driver file · local access to the system
devstral-2 · analyzed Apr 17, 2026 Full analysis →
github WORKING POC 3 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-70795

This repository contains a functional exploit for CVE-2025-70795, targeting a vulnerable driver (STProcessMonitor.sys) to terminate processes without requiring elevated privileges. The exploit includes driver loading/unloading and process termination via DeviceIoControl with specific IOCTL codes.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: STProcessMonitor.sys (versions 11.11.4.0 and 11.26.18)
No auth needed
Prerequisites: vulnerable driver file · local access to the system
devstral-2 · analyzed Apr 24, 2026 Full analysis →
nomisec SUSPICIOUS 1 stars
by wutang700 · poc
https://github.com/wutang700/STProcessMonitorBYOVD

The repository claims to demonstrate CVE-2025-70795 but lacks technical details about the vulnerability. Instead, it pushes users to download an external ZIP file, which is a common social engineering tactic.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: STProcessMonitorBYOVD
No auth needed
Prerequisites: Windows 10 or later · Internet connection to download the software
devstral-2 · analyzed Apr 17, 2026 Full analysis →

References (7)

Core 7

Scores

CVSS v3 5.5
EPSS 0.0001
EPSS Percentile 0.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

VulnCheck KEV 2026-02-11
CWE
CWE-269
Status published
Published Apr 17, 2026
Tracked Since Apr 17, 2026