cbcvebase.
CVE-2023-52271
published 2024-01-08

CVE-2023-52271: The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud allows low-privileged attackers to kill any (Protected Process Light) process via an IOCTL (which will…

PriorityP278medium6.5CVSS 3.1
AVLACLPRLUINSCCNINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.33%
24.3th percentile
The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud allows low-privileged attackers to kill any (Protected Process Light) process via an IOCTL (which will be named at a later time).

Affected

1 ranges
VendorProductVersion rangeFixed in
topazevolutionantifraud<= 2.0.0.0

Detection & IOCsextracted from sources · hover to see the quote

filenamewsftprm.sys
versionwsftprm.sys 2.0.0.0
  • Monitor for wsftprm.sys (Topaz Antifraud kernel driver v2.0.0.0) being loaded by low-privileged processes; its IOCTL interface is abused to kill Protected Process Light (PPL) processes as a BYOVD technique.
  • Hunt for DLL sideloading via a ZIP archive containing a legitimate VirtualBox/DbgView executable paired with a malicious DLL; subsequent injection into DbgView64.exe is a strong indicator of Backdoor.Turn deployment.
  • Monitor for abuse of the LimitBlankPassword security policy and unexpected firewall rule modifications, which were used by DragonForce actors to strengthen persistence after initial access.
  • ·The specific IOCTL code used by wsftprm.sys to kill PPL processes has not yet been publicly disclosed at time of reporting.
  • ·The initial access vector (SQL/MSSQL exploitation) is unconfirmed; access via an initial access broker (IAB) is also considered possible, limiting pre-compromise detection specificity.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.