Disclosure for CVE-2025-61156, an insecure access control, kernel-mode vulnerability found in ThreatFire System Monitor abused in the wild for BYOVD and EDR evasion.# CVE-2025-61156
A vulnerability was discovered in the ThreatFire System Monitor (<=[v4.7.0.53](https://threatfire.informer.com/download/)) kernel-mode **TfSysMon.sys** component that allows unprivileged users to perform arbitrary process termination with kernel-mode privileges. As a result, PPL and protected system processes can be forcefully stopped, including but not limited to anti-malware, EDR solutions, agentic clients, and so on. This can result in both local **EDR Bypass** and **Denial of Service**.
As mentioned above, due to the lack of a proper DACL limiting access to who and who cannot open a `HANDLE` to this driver, low privileged users including non-Administrators can freely terminate PPL and other protected processes, or cause local denial of service, with kernel privileges via the vulnerable driver.
As of disclosure, this version of the driver does not appear to be included in [Microsoft's Blocked Drivers List](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules), and can still be abused by threat actors in BYOVD scenarios. Furthermore, the digital signature on the driver appears to remain valid and unrevoked.
[4.0K] /data/pocs/a7180a8ca21691e8210787d4f210880e35693b9b
├── [ 73K] 235150D847D07BC6B11282C01243EBD01570FA079A2798CACC34F8DFE6BEBC00.sys
├── [1.0K] LICENSE
├── [2.6K] poc.cpp
└── [1.2K] README.md
1 directory, 4 files