cbcvebase.
CVE-2025-1055
published 2025-06-11

CVE-2025-1055: A vulnerability in the K7RKScan.sys driver, part of the K7 Security Anti-Malware suite, allows a local low-privilege user to send crafted IOCTL requests to…

PriorityP279medium5.6CVSS 3.1
AVLACHPRLUINSCCNINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.21%
11.3th percentile
A vulnerability in the K7RKScan.sys driver, part of the K7 Security Anti-Malware suite, allows a local low-privilege user to send crafted IOCTL requests to terminate a wide range of processes running with administrative or system-level privileges, with the exception of those inherently protected by the operating system. This flaw stems from missing access control in the driver's IOCTL handler, enabling unprivileged users to perform privileged actions in kernel space. Successful exploitation can lead to denial of service by disrupting critical services or privileged applications.

Affected

7 ranges
VendorProductVersion rangeFixed in
k7_securityk7_security_anti-malware< 23.0.0.1023.0.0.10
msrccbl2_kernel_5.15.32.1-3_on_cbl_mariner_2.0
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrccm1_kernel_5.10.111.1-1_on_cbl_mariner_1.0

Detection & IOCsextracted from sources · hover to see the quote

filenameK7RKScan.sys
filenameK7RKScan.sys
  • Monitor for low-privilege processes sending IOCTL requests to K7RKScan.sys driver; such requests from non-administrative processes are anomalous and indicative of exploitation.
  • Alert on unexpected process terminations of privileged/system-level processes, especially security tools, which may indicate exploitation of the missing access control in K7RKScan.sys IOCTL handler.
  • In DragonForce intrusion context, look for K7RKScan.sys driver load events co-occurring with DLL sideloading activity (legitimate VirtualBox/DbgView executable paired with malicious DLL) and ZIP archive drops under tech support pretext.
  • ·The driver terminates processes with administrative or system-level privileges but cannot terminate processes inherently protected by the operating system (e.g., PPL-protected processes); detection scope should account for this limitation.

CVSS provenance

nvdv3.15.6MEDIUMCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H
vulncheck5.6MEDIUM
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.