cbcvebase.
CVE-2025-61155
published 2025-10-28

CVE-2025-61155: The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode…

PriorityP187medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.27%
19.2th percentile
The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode process can open a handle to the driver device and send specially crafted IOCTL requests. These requests are executed in kernel-mode context without proper authentication or access validation, allowing the attacker to terminate arbitrary processes, including critical system and security services, without requiring administrative privileges.

Detection & IOCsextracted from sources · hover to see the quote

filenameGameDriverX64.sys
filenameGameDriverX64.sys
  • CVE-2025-61155 is exploited via BYOVD: a user-mode process opens a handle to the GameDriverX64.sys device and sends specially crafted IOCTL requests in kernel-mode context without authentication, enabling termination of arbitrary processes including EDR/AV without admin privileges.
  • Hunt for GameDriverX64.sys (Tower of Fantasy anti-cheat driver) loaded on non-gaming hosts, particularly in enterprise/EDR environments — its presence is a strong BYOVD indicator for CVE-2025-61155 exploitation.
  • MintLoader initial access uses a time-based URL path (Unix epoch floored to 16-second intervals) for payload retrieval; the PowerShell pattern `$w - ($w % 16)` is a distinctive signature for this loader's C2 beacon URL construction.
  • ·CVE-2025-61155 affects GameDriverX64.sys v7.23.4.7 and earlier; versions beyond this threshold are not confirmed vulnerable.
  • ·The Interlock RAT JavaScript payloads use randomized string-retrieval function names per build (e.g., 'a0n()'), so string-based static detection rules targeting specific function names will have limited coverage across samples.
  • ·Backdoor.Turn C2 traffic is indistinguishable from legitimate Microsoft Teams TURN relay traffic at the network layer; network-based detection relying solely on destination IP/domain blocking of Microsoft infrastructure will generate false positives or miss the malware entirely.

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vulncheck5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.