CVE-2025-68947

NSecsoft NSecKrnl process termination privilege escalation

Basic Information

CVE State: PUBLISHED
Reserved Date: December 26, 2025
Published Date: January 13, 2026
Last Updated: March 10, 2026
Vendor: NSecsoft
Product: NSecKrnl
Description: NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes by issuing crafted IOCTL requests to the driver.

CVSS Scores

CVSS v4.0

5.7 - MEDIUM

Vector: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS v3.1

4.7 - MEDIUM

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

SSVC Information

Exploitation: none
Technical Impact: partial

Exploit Status

Exploited in the Wild: Yes (2026-02-10 14:44:42 UTC) Source

References

https://www.virustotal.com/gui/file/206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261 https://hexastrike.com/resources/blog/threat-intelligence/valleyrat-exploiting-byovd-to-kill-endpoint-security/ https://github.com/ANYLNK/NSecSoftBYOVD https://www.cve.org/CVERecord?id=CVE-2025-68947 https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-013-01.json

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2026-02-10 14:44:42 UTC

Timeline

CVE ID Reserved

December 26, 2025
CVE Published to Public

January 13, 2026
Added to KEVIntel

February 10, 2026