CVE-2025-1055
published 2025-06-11CVE-2025-1055: A vulnerability in the K7RKScan.sys driver, part of the K7 Security Anti-Malware suite, allows a local low-privilege user to send crafted IOCTL requests to…
PriorityP279medium5.6CVSS 3.1
AVLACHPRLUINSCCNINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.21%
11.3th percentile
A vulnerability in the K7RKScan.sys driver, part of the K7 Security Anti-Malware suite, allows a local low-privilege user to send crafted IOCTL requests to terminate a wide range of processes running with administrative or system-level privileges, with the exception of those inherently protected by the operating system. This flaw stems from missing access control in the driver's IOCTL handler, enabling unprivileged users to perform privileged actions in kernel space. Successful exploitation can lead to denial of service by disrupting critical services or privileged applications.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| k7_security | k7_security_anti-malware | < 23.0.0.10 | 23.0.0.10 |
| msrc | cbl2_kernel_5.15.32.1-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_kernel_5.10.111.1-1_on_cbl_mariner_1.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for low-privilege processes sending IOCTL requests to K7RKScan.sys driver; such requests from non-administrative processes are anomalous and indicative of exploitation. ↗
- →Alert on unexpected process terminations of privileged/system-level processes, especially security tools, which may indicate exploitation of the missing access control in K7RKScan.sys IOCTL handler. ↗
- →In DragonForce intrusion context, look for K7RKScan.sys driver load events co-occurring with DLL sideloading activity (legitimate VirtualBox/DbgView executable paired with malicious DLL) and ZIP archive drops under tech support pretext. ↗
- ·The driver terminates processes with administrative or system-level privileges but cannot terminate processes inherently protected by the operating system (e.g., PPL-protected processes); detection scope should account for this limitation. ↗
CVSS provenance
nvdv3.15.6MEDIUMCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H
vulncheck5.6MEDIUM
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pmf4-2j7f-rq3c: A vulnerability in the K7RKScan
ghsa_unreviewed·2025-06-11
CVE-2025-1055 [MEDIUM] CWE-862 GHSA-pmf4-2j7f-rq3c: A vulnerability in the K7RKScan
A vulnerability in the K7RKScan.sys driver, part of the K7 Security Anti-Malware suite, allows a local low-privilege user to send crafted IOCTL requests to terminate a wide range of processes running with administrative or system-level privileges, with the exception of those inherently protected by the operating system. This flaw stems from missing access control in the driver's IOCTL handler, enabling unprivileged users to perform privileged actions in kernel space. Successful exploitation can lead to denial of service by disrupting critical services or privileged applications.
VulnCheck
Missing Authorization
vulncheck·2025·CVSS 5.6
CVE-2025-1055 [MEDIUM] Missing Authorization
Missing Authorization
A vulnerability in the K7RKScan.sys driver, part of the K7 Security Anti-Malware suite, allows a local low-privilege user to send crafted IOCTL requests to terminate a wide range of processes running with administrative or system-level privileges, with the exception of those inherently protected by the operating system. This flaw stems from missing access control in the driver's IOCTL handler, enabling unprivileged users to perform privileged actions in kernel space. Successful exploitation can lead to denial of service by disrupting critical services or privileged applications.
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://
Microsoft
Use after Free in tc_new_tfilter allowing for privilege escalation in Linux Kernel
vendor_msrc·2022-03-08·CVSS 7.8
CVE-2022-1055 [HIGH] CWE-416 Use after Free in tc_new_tfilter allowing for privilege escalation in Linux Kernel
Use after Free in tc_new_tfilter allowing for privilege escalation in Linux Kernel
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Google: Google
Customer Action Required: Yes
Remediation: CBL-Mariner Relea
No detection rules found.
No public exploits indexed.
Hackernews
DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
blogs_hackernews·2026-06-18
CVE-2023-52271 DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
Threat actors associated with the DragonForce ransomware have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure.
According to findings from Broadcom-owned Symantec and Carbon Black, the backdoor was deployed against a major U.S. services firm. The name of the company was not disclosed.
"Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN
Bleepingcomputer
Ransomware gang abuses Microsoft Teams relays to hide malicious traffic
blogs_bleepingcomputer·2026-06-16
CVE-2023-52271 Ransomware gang abuses Microsoft Teams relays to hide malicious traffic
## Ransomware gang abuses Microsoft Teams relays to hide malicious traffic
## Bill Toulas
DragonForce ransomware used a custom malware named 'Backdoor.Turn' to hide command-and-control traffic inside Microsoft Teams relay infrastructure.
The backdoor abuses the Traversal Using Relays around NAT (TURN) protocol used by Microsoft Teams to distribute messages when a direct connection to the client is unavailable (e.g., clients on a private network).
DragonForce is a ransomware operation active since at least 2023, that adopted a cartel-style organizational structure and has been linked to the infamous Scattered Spider threat group.
According to researchers at the cybersecurity company Symantec, the hackers used custom Go-based malware in an attack against a major U.S. services company.
2025-06-11
Published
Exploited in the wild