CVE-2026-0828

HIGH

Safetica Endpoint Client 10.5.75.0/11.11.4.0 - Protected Process Termination

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-0828. PoCs published by KOSEC-LLC, mein-0.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2026-0828, demonstrating multiple BYOVD (Bring Your Own Vulnerable Driver) vulnerabilities across different drivers. Each PoC includes specific IOCTL codes and structures to interact with vulnerable drivers, enabling process termination, arbitrary kernel reads, and other dangerous operations.

Description

Kernel driver ProcessMonitorDriver.sys in Safetica's endpoint client x64 , versions 10.5.75.0 and 11.11.4.0, allows unprivileged user to abuse IOCTL path and terminate protected system processes.

Exploits (2)

nomisec WORKING POC 8 stars
by KOSEC-LLC · poc
https://github.com/KOSEC-LLC/BYOVD-Research

This repository contains functional exploit code for CVE-2026-0828, demonstrating multiple BYOVD (Bring Your Own Vulnerable Driver) vulnerabilities across different drivers. Each PoC includes specific IOCTL codes and structures to interact with vulnerable drivers, enabling process termination, arbitrary kernel reads, and other dangerous operations.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Multiple drivers (Adlice RootLaser.sys, EnCase EnPortv.sys, EsafeNet ProcessCtr.sys, Safetica STProcessMonitorDriver.sys, V-secure ZyArk.sys)
Auth required
Prerequisites: Administrator privileges · Vulnerable driver installed and running
mistral-large-3 · analyzed Jul 02, 2026 Full analysis →
nomisec WORKING POC
by mein-0 · poc
https://github.com/mein-0/cve-2026-0828

This repository contains a functional exploit for CVE-2026-0828, which leverages a vulnerable IOCTL in Safetica's ProcessMonitorDriver.sys to terminate arbitrary processes, bypassing PPL protection. The exploit then escalates privileges to NT AUTHORITY\SYSTEM by stealing a token from winlogon.exe.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Safetica ProcessMonitorDriver.sys < 11.26.19 / < 10.5.150
Auth required
Prerequisites: Admin privileges · Safetica ProcessMonitorDriver.sys loaded
mistral-large-3 · analyzed Jul 02, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, US Government Resource
https://www.kb.cert.org/vuls/id/818729

Scores

CVSS v3 7.5
EPSS 0.0046
EPSS Percentile 36.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

Status published
Products (2)
Safetica/Endpoint Client 10.5.75.0
Safetica/Endpoint Client 11.11.4.0
Published Jun 26, 2026
Tracked Since Jun 26, 2026