cbcvebase.
CVE-2020-14979
published 2020-08-11

CVE-2020-14979: The WinRing0.sys and WinRing0x64.sys drivers 1.2.0 in EVGA Precision X1 through 1.0.6 allow local users, including low integrity processes, to read and write…

PriorityP278high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.60%
44.5th percentile
The WinRing0.sys and WinRing0x64.sys drivers 1.2.0 in EVGA Precision X1 through 1.0.6 allow local users, including low integrity processes, to read and write to arbitrary memory locations. This allows any user to gain NT AUTHORITY\SYSTEM privileges by mapping \Device\PhysicalMemory into the calling process.

Affected

2 ranges
VendorProductVersion rangeFixed in
evgaprecision_x1<= 1.0.6
winring0_projectwinring0

Detection & IOCsextracted from sources · hover to see the quote

path\Device\PhysicalMemory
  • Alert on any process mapping \Device\PhysicalMemory — this is the exploitation primitive used by CVE-2020-14979 to achieve NT AUTHORITY\SYSTEM from low-integrity processes.
  • Hunt for foxitcrack.exe on disk or in process telemetry; it is the SteelFox dropper masquerading as a Foxit PDF Editor crack and is the initial delivery vehicle for the CVE-2020-14979-exploiting driver.
  • Monitor outbound DNS resolution for ankjdans[.]xyz, especially via DNS-over-HTTPS to Google Public DNS (8.8.8.8/8.8.4.4), as SteelFox uses DoH to hide C2 domain resolution.
  • Detect the AppInfo service being launched by a non-system process followed by DLL injection — SteelFox loads itself inside AppInfo to prevent removal without NT\SYSTEM privileges.
  • Flag downloads or network connections to github[.]com/cppdev-123 repositories, which are used to host and update the XMRig miner component dropped by SteelFox.
  • ·The C2 domain ankjdans[.]xyz uses dynamically rotating IP addresses, so IP-based blocking alone is insufficient; domain-level blocking or DoH inspection is required.
  • ·The WinRing0.sys driver is also a legitimate component of XMRig; presence alone may generate false positives in mining environments — correlate with pipe name and privilege escalation behavior.
  • ·The XMRig component is periodically updated at the GitHub repository to evade detection of older versions; hash-based detections will require frequent updates.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.