cbcvebase.
CVE-2025-7771
published 2025-08-06

CVE-2025-7771: ThrottleStop.sys, a legitimate driver, exposes two IOCTL interfaces that allow arbitrary read and write access to physical memory via the MmMapIoSpace…

PriorityP276high8.7CVSS 4.0
AVLACHATNPRHUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
8.96%
94.6th percentile
ThrottleStop.sys, a legitimate driver, exposes two IOCTL interfaces that allow arbitrary read and write access to physical memory via the MmMapIoSpace function. This insecure implementation can be exploited by a malicious user-mode application to patch the running Windows kernel and invoke arbitrary kernel functions with ring-0 privileges. The vulnerability enables local attackers to execute arbitrary code in kernel context, resulting in privilege escalation and potential follow-on attacks, such as disabling security software or bypassing kernel-level protections. ThrottleStop.sys version 3.0.0.0 and possibly others are affected. Apply updates per vendor instructions.

Affected

1 ranges
VendorProductVersion rangeFixed in
techpowerupthrottlestop

Detection & IOCsextracted from sources · hover to see the quote

hash6bc8e3505d9f51368ddf323acb6abc49
hash82ed942a52cdcf120a8919730e00ba37619661a3
hash16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0
hasha88daa62751c212b7579a57f1f4ae8f8
hashc0979ec20b87084317d1bfa50405f7149c3b5c5f
hash7a311b584497e8133cd85950fec6132904dd5b02388a9feed3f5e057fb891d09
filenameThrottleBlood.sys
filenameAll.exe
pathC:\Users\Public\a.sys
other0x80006498 (IOCTL mem read)
other0x8000649C (IOCTL mem write)
other0x8000645C (IOCTL_MMMAPIOSPACE)
process\\.\ThrottleStop
bytes
4? BA 00 00 40 75 00 65 48 8B
yara
import "pe"
rule AVKiller_MmMapIoSpace {
    meta:
        description = "Rule to detect the AV Killer"
        author = "Kaspersky"
        copyright = "Kaspersky"
        version = "1.0"
        last_modified = "2025-05-14"
        hash = "a88daa62751c212b7579a57f1f4ae8f8"
    strings:
        $ shellcode_template = { 4 ? BA 00 00 40 75 00 65 48 8B }
        $ ntoskrnl = "ntoskrnl.exe"
        $ NtAddAtom = "NtAddAtom"
        $ ioctl_mem_write = { 9C 64 00 80 }
        $ ioctl_mem_read = { 98 64 00 80 }
    condition:
        pe.is_pe and pe.imports("kernel32.dll", "DeviceIoControl") and all of them
}
  • Monitor for loading of the known vulnerable driver ThrottleStop.sys (SHA-256: 16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0) via a service named 'ThrottleStop'; the driver is signed by TechPowerUp LLC (DigiCert EV Code Signing CA, serial 0a fc 69 77 2a e1 ea 9a 28 57 31 b6 aa 45 23 c6).
  • Detect user-mode processes issuing DeviceIoControl calls to the device \\.\ThrottleStop with IOCTL codes 0x80006498 (read) or 0x8000649C (write) to identify exploitation of the physical memory read/write primitives.
  • Alert on the AV killer binary (All.exe, SHA-256: 7a311b584497e8133cd85950fec6132904dd5b02388a9feed3f5e057fb891d09) enumerating processes via Process32FirstW/Process32NextW and targeting security product process names such as MsMpEng.exe, CSFalconService.exe, ekrn.exe, SentinelAgent.exe, etc.
  • Hunt for the malicious driver dropped as ThrottleBlood.sys, which is the renamed/weaponized copy of ThrottleStop.sys used by the AV killer to load the vulnerable driver.
  • Detect use of NtQuerySystemInformation with SystemSuperfetchInformation (SuperFetch) class to perform virtual-to-physical address translation, a key step in exploiting the driver's MmMapIoSpace primitive.
  • Alert on kernel code injection pattern: shellcode written via the driver that jumps to a target kernel function address (NtAddAtom used as injection vector), followed by restoration of original kernel bytes.
  • Flag exploit attempts that drop the driver to C:\Users\Public\a.sys and register it as a SERVICE_KERNEL_DRIVER service named 'ThrottleStop' via OpenSCManager/CreateService/StartService.
  • Detect LSASS PPL protection removal: writes of 0x0 to EPROCESS offsets +0x6ca (PS_PROTECTION) and +0x6c8 (SignatureLevel) via the vulnerable driver, followed by AddSecurityPackageA loading a DLL from c:\windows\system32\ntssp.dll.
  • ·The exploit code uses hardcoded EPROCESS offsets (e.g., +0x2e0 UniqueProcessId, +0x2e8 ActiveProcessLinks, +0x6ca PS_PROTECTION, +0x6c8 SignatureLevel, NT base + 0x5412e0 for PsInitialSystemProcess) that are specific to the tested Windows 11 build; these offsets will differ across OS versions and patch levels.
  • ·ThrottleStop.sys version 3.0.0.0 is confirmed affected; other versions may also be vulnerable but have not been explicitly confirmed.
  • ·The vendor was preparing a patch at time of publication; the driver's legitimate signing certificate (TechPowerUp LLC) means it may bypass driver blocklist controls until the vulnerable version is explicitly added to the Microsoft Vulnerable Driver Blocklist.

CVSS provenance

nvdv4.08.7HIGHCVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.