CVE-2026-0828
HIGHSafetica Endpoint Client 10.5.75.0/11.11.4.0 - Protected Process Termination
Title source: manualExploitation Summary
EIP tracks 2 public exploits for CVE-2026-0828. PoCs published by KOSEC-LLC, mein-0.
AI-analyzed exploit summary This repository contains functional exploit code for CVE-2026-0828, demonstrating multiple BYOVD (Bring Your Own Vulnerable Driver) vulnerabilities across different drivers. Each PoC includes specific IOCTL codes and structures to interact with vulnerable drivers, enabling process termination, arbitrary kernel reads, and other dangerous operations.
Description
Kernel driver ProcessMonitorDriver.sys in Safetica's endpoint client x64 , versions 10.5.75.0 and 11.11.4.0, allows unprivileged user to abuse IOCTL path and terminate protected system processes.
Exploits (2)
This repository contains functional exploit code for CVE-2026-0828, demonstrating multiple BYOVD (Bring Your Own Vulnerable Driver) vulnerabilities across different drivers. Each PoC includes specific IOCTL codes and structures to interact with vulnerable drivers, enabling process termination, arbitrary kernel reads, and other dangerous operations.
This repository contains a functional exploit for CVE-2026-0828, which leverages a vulnerable IOCTL in Safetica's ProcessMonitorDriver.sys to terminate arbitrary processes, bypassing PPL protection. The exploit then escalates privileges to NT AUTHORITY\SYSTEM by stealing a token from winlogon.exe.
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N