CVE-2024-1853
published 2024-03-14CVE-2024-1853: Zemana AntiLogger v2.74.204.664 is vulnerable to an Arbitrary Process Termination vulnerability by triggering the 0x80002048 IOCTL code of the zam64.sys and…
PriorityP185medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.20%
10.0th percentile
Zemana AntiLogger v2.74.204.664 is vulnerable to an Arbitrary Process Termination vulnerability by triggering the 0x80002048 IOCTL code of the zam64.sys and zamguard64.sys drivers.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zemena | antilogger | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for IOCTL code 0x80002048 being sent to zam64.sys or zamguard64.sys drivers; this specific control code triggers arbitrary process termination. ↗
- →Killer Ultra malware unpacks the vulnerable Zemana driver and creates a new Windows service at runtime; monitor for new service creation events associated with dropped driver files. ↗
- →BlackByte drops renamed copies of zamguard64.sys using a naming convention of eight random alphanumeric characters followed by an underscore and an iterating number; monitor for driver files matching this pattern. ↗
- ·The CVE affects Zemana AntiLogger v2.74.204.664 specifically; other versions may or may not be vulnerable. ↗
- ·The Zemana zamguard driver vulnerability was a core component of the commercial Terminator EDR killer tool sold on illicit marketplaces; blocklisting the driver hash alone may be insufficient as threat actors rename the driver. ↗
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vulncheck5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c73r-qm22-rmxf: Zemana AntiLogger v2
ghsa_unreviewed·2024-03-15
CVE-2024-1853 [MEDIUM] CWE-283 GHSA-c73r-qm22-rmxf: Zemana AntiLogger v2
Zemana AntiLogger v2.74.204.664 is vulnerable to an Arbitrary Process Termination vulnerability by triggering the 0x80002048 IOCTL code of the zam64.sys and zamguard64.sys drivers.
VulnCheck
Zemana AntiLogger Arbitrary Process Termination Vulnerability
vulncheck·2024·CVSS 5.5
CVE-2024-1853 [MEDIUM] Zemana AntiLogger Arbitrary Process Termination Vulnerability
Zemana AntiLogger Arbitrary Process Termination Vulnerability
Zemana AntiLogger v2.74.204.664 is vulnerable to an Arbitrary Process Termination vulnerability by triggering the 0x80002048 IOCTL code of the zam64.sys and zamguard64.sys drivers.
Affected: Zemana AntiLogger
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.binarydefense.com/resources/blog/technical-analysis-killer-ultra-malware-targeting-edr-products-in-ransomware-attacks/; https://blog.talosintelligence.com/exploring-vulnerable-windows-drivers/; https://ti.qianxin.com/uploads/2025/02/21/5c66fbda0feb2714c53f54dcedcd2e43.pdf; https://www.guidepoi
Suricata
ET WEB_SPECIFIC_APPS Tenda SetIpMacBind Multiple Parameters Buffer Overflow Attempt (CVE-2025-15216, CVE-2025-9089, CVE-2025-1853, CVE-2024-40417, CVE-2023-41556, CVE-2023-40902, CVE-2023-40896)
suricata·2025-10-10·CVSS 9.8
CVE-2023-40902 [CRITICAL] ET WEB_SPECIFIC_APPS Tenda SetIpMacBind Multiple Parameters Buffer Overflow Attempt (CVE-2025-15216, CVE-2025-9089, CVE-2025-1853, CVE-2024-40417, CVE-2023-41556, CVE-2023-40902, CVE-2023-40896)
ET WEB_SPECIFIC_APPS Tenda SetIpMacBind Multiple Parameters Buffer Overflow Attempt (CVE-2025-15216, CVE-2025-9089, CVE-2025-1853, CVE-2024-40417, CVE-2023-41556, CVE-2023-40902, CVE-2023-40896)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Tenda SetIpMacBind Multiple Parameters Buffer Overflow Attempt (CVE-2025-15216, CVE-2025-9089, CVE-2025-1853, CVE-2024-40417, CVE-2023-41556, CVE-2023-40902, CVE-2023-40896)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:20; content:"/goform/SetIpMacBind"; fast_pattern; http.request_body; pcre:"/(?:list|component|bindnum)\x3d[^&]{100,}(?:&|$)/"; reference:cve,2023-40902; reference:cve,2025-9089; reference:cve,2025-1853; reference:url,github.com/peris-navince/founded-0-days/blob/main/Tenda/ac10/SetIpMac
No public exploits indexed.
Talos
Exploring vulnerable Windows drivers
blogs_talos·2024-12-19
Exploring vulnerable Windows drivers
## Exploring vulnerable Windows drivers
This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about malicious Windows drivers. Some of this research was presented at the AVAR conference in Chennai at the beginning of December 2024.
We would like to send a special thanks to Connor McGarr , Russell Sanford , Ryan Warns , Tim Harrison and Michal Poslušný for their previous work on analyzing vulnerabilities in drivers.
During our research into vulnerable Windows drivers, we investigated classes of vulnerabilities typically exploited by threat actors as well as the payloads they typically deploy post-exploitation. The attacks in which attackers are deliberately installing known vul
Talos
Exploring vulnerable Windows drivers
blogs_talos·2024-12-19
Exploring vulnerable Windows drivers
This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about malicious Windows drivers. Some of this research was presented at the AVAR conference in Chennai at the beginning of December 2024.
We would like to send a special thanks to Connor McGarr, Russell Sanford, Ryan Warns, Tim Harrison and Michal Poslušný for their previous work on analyzing vulnerabilities in drivers.
During our research into vulnerable Windows drivers, we investigated classes of vulnerabilities typically exploited by threat actors as well as the payloads they typically deploy post-exploitation. The attacks in which attackers are deliberately installing known vulnerable drivers only to later exploit them i
2024-03-14
Published
Exploited in the wild