CVE-2025-7771
published 2025-08-06CVE-2025-7771: ThrottleStop.sys, a legitimate driver, exposes two IOCTL interfaces that allow arbitrary read and write access to physical memory via the MmMapIoSpace…
PriorityP276high8.7CVSS 4.0
AVLACHATNPRHUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
8.96%
94.6th percentile
ThrottleStop.sys, a legitimate driver, exposes two IOCTL interfaces that allow arbitrary read and write access to physical memory via the MmMapIoSpace function. This insecure implementation can be exploited by a malicious user-mode application to patch the running Windows kernel and invoke arbitrary kernel functions with ring-0 privileges. The vulnerability enables local attackers to execute arbitrary code in kernel context, resulting in privilege escalation and potential follow-on attacks, such as disabling security software or bypassing kernel-level protections. ThrottleStop.sys version 3.0.0.0 and possibly others are affected. Apply updates per vendor instructions.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| techpowerup | throttlestop | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
4? BA 00 00 40 75 00 65 48 8B
yara↗
import "pe"
rule AVKiller_MmMapIoSpace {
meta:
description = "Rule to detect the AV Killer"
author = "Kaspersky"
copyright = "Kaspersky"
version = "1.0"
last_modified = "2025-05-14"
hash = "a88daa62751c212b7579a57f1f4ae8f8"
strings:
$ shellcode_template = { 4 ? BA 00 00 40 75 00 65 48 8B }
$ ntoskrnl = "ntoskrnl.exe"
$ NtAddAtom = "NtAddAtom"
$ ioctl_mem_write = { 9C 64 00 80 }
$ ioctl_mem_read = { 98 64 00 80 }
condition:
pe.is_pe and pe.imports("kernel32.dll", "DeviceIoControl") and all of them
}- →Monitor for loading of the known vulnerable driver ThrottleStop.sys (SHA-256: 16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0) via a service named 'ThrottleStop'; the driver is signed by TechPowerUp LLC (DigiCert EV Code Signing CA, serial 0a fc 69 77 2a e1 ea 9a 28 57 31 b6 aa 45 23 c6). ↗
- →Detect user-mode processes issuing DeviceIoControl calls to the device \\.\ThrottleStop with IOCTL codes 0x80006498 (read) or 0x8000649C (write) to identify exploitation of the physical memory read/write primitives. ↗
- →Alert on the AV killer binary (All.exe, SHA-256: 7a311b584497e8133cd85950fec6132904dd5b02388a9feed3f5e057fb891d09) enumerating processes via Process32FirstW/Process32NextW and targeting security product process names such as MsMpEng.exe, CSFalconService.exe, ekrn.exe, SentinelAgent.exe, etc. ↗
- →Hunt for the malicious driver dropped as ThrottleBlood.sys, which is the renamed/weaponized copy of ThrottleStop.sys used by the AV killer to load the vulnerable driver. ↗
- →Detect use of NtQuerySystemInformation with SystemSuperfetchInformation (SuperFetch) class to perform virtual-to-physical address translation, a key step in exploiting the driver's MmMapIoSpace primitive. ↗
- →Alert on kernel code injection pattern: shellcode written via the driver that jumps to a target kernel function address (NtAddAtom used as injection vector), followed by restoration of original kernel bytes. ↗
- →Flag exploit attempts that drop the driver to C:\Users\Public\a.sys and register it as a SERVICE_KERNEL_DRIVER service named 'ThrottleStop' via OpenSCManager/CreateService/StartService. ↗
- →Detect LSASS PPL protection removal: writes of 0x0 to EPROCESS offsets +0x6ca (PS_PROTECTION) and +0x6c8 (SignatureLevel) via the vulnerable driver, followed by AddSecurityPackageA loading a DLL from c:\windows\system32\ntssp.dll. ↗
- ·The exploit code uses hardcoded EPROCESS offsets (e.g., +0x2e0 UniqueProcessId, +0x2e8 ActiveProcessLinks, +0x6ca PS_PROTECTION, +0x6c8 SignatureLevel, NT base + 0x5412e0 for PsInitialSystemProcess) that are specific to the tested Windows 11 build; these offsets will differ across OS versions and patch levels. ↗
- ·ThrottleStop.sys version 3.0.0.0 is confirmed affected; other versions may also be vulnerable but have not been explicitly confirmed. ↗
- ·The vendor was preparing a patch at time of publication; the driver's legitimate signing certificate (TechPowerUp LLC) means it may bypass driver blocklist controls until the vulnerable version is explicitly added to the Microsoft Vulnerable Driver Blocklist. ↗
CVSS provenance
nvdv4.08.7HIGHCVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f8p7-vvxp-hcxv: ThrottleStop
ghsa_unreviewed·2025-08-06
CVE-2025-7771 [HIGH] CWE-782 GHSA-f8p7-vvxp-hcxv: ThrottleStop
ThrottleStop.sys, a legitimate driver, exposes two IOCTL interfaces that allow arbitrary read and write access to physical memory via the MmMapIoSpace function. This insecure implementation can be exploited by a malicious user-mode application to patch the running Windows kernel and invoke arbitrary kernel functions with ring-0 privileges. The vulnerability enables local attackers to execute arbitrary code in kernel context, resulting in privilege escalation and potential follow-on attacks, such as disabling security software or bypassing kernel-level protections. ThrottleStop.sys version 3.0.0.0 and possibly others are affected. Apply updates per vendor instructions.
VulnCheck
Exposed IOCTL with Insufficient Access Control
vulncheck·2025·CVSS 8.7
CVE-2025-7771 [HIGH] Exposed IOCTL with Insufficient Access Control
Exposed IOCTL with Insufficient Access Control
ThrottleStop.sys, a legitimate driver, exposes two IOCTL interfaces that allow arbitrary read and write access to physical memory via the MmMapIoSpace function. This insecure implementation can be exploited by a malicious user-mode application to patch the running Windows kernel and invoke arbitrary kernel functions with ring-0 privileges. The vulnerability enables local attackers to execute arbitrary code in kernel context, resulting in privilege escalation and potential follow-on attacks, such as disabling security software or bypassing kernel-level protections. ThrottleStop.sys version 3.0.0.0 and possibly others are affected. Apply updates per vendor instructions.
Affected: ThrottleStop ThrottleStop.sys
Required Action: Apply remediatio
No detection rules found.
Checkpoint
11th August – Threat Intelligence Report
blogs_checkpoint·2025-08-11
CVE-2025-54136 11th August – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th August – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th August, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Air France has experienced a data breach that resulted in unauthorized access to customer data through a compromised external customer service platform. The attack exposed personal information, including names, email addresses, phone numbers, frequent flyer program details, and recent transactions, but did not affect custom
Securelist
Driver of destruction: How a legitimate driver is being used to take down AV processes
blogs_securelist·2025-08-06
Driver of destruction: How a legitimate driver is being used to take down AV processes
Table of Contents
Introduction
Incident overview
The AV killer analysis
Calling kernel functions
Process killer main routine
YARA rule
Victims
Attribution
Conclusion and recommendations
Tactics, techniques and procedures
Indicators of compromise
Authors
Cristian Souza
Ashley Muñoz
Eduardo Ovalle
Francesco Figurelli
Anderson Leite
## Introduction
ThrottleStop.sys
It is important to note that Kaspersky products, such as Kaspersky Endpoint Security (KES), have built-in self-defense mechanisms that prevent the alteration or termination of memory processes, deletion of application files on the hard drive, and changes in system registry entries. These mechanisms effectively counter the AV killer described in the article.
Invoke-SMBExec.ps1
1 2 3
Invoke - WMIExec - Target "
2025-08-06
Published
Exploited in the wild