Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
Home/CyberSecurity News/CrowdStrike EDR Zero-Day Allows Disabling of Security Features
CyberSecurity News

CrowdStrike EDR Zero-Day Allows Disabling of Security Features

Key Takeaways A zero-day “Bring Your Own Vulnerable Driver” (BYOVD) attack can disable leading endpoint detection and response (EDR) solutions, including CrowdStrike Falcon. The attack...

Marcus Rodriguez
Marcus Rodriguez
April 14, 2026 3 Min Read
34 0

Key Takeaways

  • A zero-day “Bring Your Own Vulnerable Driver” (BYOVD) attack can disable leading endpoint detection and response (EDR) solutions, including CrowdStrike Falcon.
  • The attack leverages legitimately signed kernel drivers to bypass security features and terminate critical security processes from kernel mode.
  • Over 15 variants of the malicious driver exist, all with valid Microsoft digital signatures, allowing them to load undetected by current antivirus engines.
  • A proof-of-concept exploit, “PoisonKiller,” successfully demonstrated the ability to terminate the CrowdStrike EDR process.

A significant vulnerability has emerged in the realm of endpoint security, exposing prominent solutions like CrowdStrike Falcon to a novel “Bring Your Own Vulnerable Driver” (BYOVD) attack. This sophisticated method, recently uncovered by a cybersecurity researcher, demonstrates the capacity to completely neutralize even top-tier endpoint defenses.

Table Of Content

  • Key Takeaways
  • Reverse Engineering the IOCTL
  • What You Should Do

The core of this exploit lies in the reverse-engineering of an undisclosed zero-day kernel driver. The researcher’s findings reveal how malicious actors can utilize legally signed drivers to circumvent endpoint detection and response (EDR) systems with alarming efficacy.

BYOVD attacks operate by introducing a trusted, yet flawed, driver onto a compromised system. This driver, despite its underlying vulnerabilities, gains elevated kernel privileges, providing attackers with deep system access.

The investigation identified more than 15 distinct versions of this nefarious driver. Critically, every variant possesses valid Microsoft digital signatures, meaning they have not been flagged or revoked by the vendor. This legitimate signing grants them an unparalleled level of trust within the operating system.

Compounding the concern, scans conducted on platforms like VirusTotal show a complete absence of detections from contemporary antivirus engines. This indicates a significant blind spot in current security paradigms.

Since the driver is digitally signed and considered highly trustworthy, Windows permits its seamless loading into kernel mode without triggering any security alerts. This provides attackers with a stealthy and potent foothold within the system.

Reverse Engineering the IOCTL

During a detailed technical analysis utilizing IDA Pro, the researcher successfully navigated past an obfuscated entry point to meticulously examine the driver’s central device-control handler.

After a rigorous cleanup process to clarify the heavily mangled decompiled code, a critical input/output control (IOCTL) interface was identified. Specifically, the IOCTL code 0x22E010 was found to activate a dedicated routine designed for process termination.

The driver accepts a process ID as a string, converts it to an integer using standard C functions, and then executes the termination command. The profound danger stems from the driver’s ability to terminate security processes directly from the kernel level.

It employs the kernel functions ZwOpenProcess and ZwTerminateProcess to forcibly shut down active applications, bypassing conventional security barriers.

Under normal user-mode conditions, any attempt to close a Protected Process Light (PPL) service, such as CrowdStrike, would result in an immediate access denied error.

However, kernel-level commands completely bypass these user-mode protections, enabling the driver to silently eliminate critical security agents before threat actors deploy ransomware or other secondary payloads.

To validate the vulnerability, the core-jmp researcher dynamically tracked the driver within a controlled test environment to pinpoint its symbolic link, which was identified as .{F8284233–48F4–4680-ADDD-F8284233}.

Leveraging this symbolic link in conjunction with the discovered IOCTL code, they developed a custom proof-of-concept exploit named PoisonKiller.

When loaded using standard command-line service tools, the PoisonKiller exploit successfully targeted and terminated the active CrowdStrike EDR process, demonstrating the practical impact of this vulnerability.

The complete technical analysis and exploit code have been made publicly available on GitHub, underscoring a critical oversight in how modern operating systems manage signed third-party drivers.

What You Should Do

  • Review and enhance driver integrity monitoring on all endpoints, focusing on newly loaded drivers and their origins.
  • Implement robust application control policies to restrict the execution of unsigned or unauthorized drivers.
  • Regularly audit system logs for unusual driver loading activities, especially those bypassing traditional security alerts.
  • Consider advanced behavioral analysis tools that can detect anomalous process termination attempts, even from privileged kernel levels.
  • Stay informed about updates and advisories from your EDR vendor regarding BYOVD protections and ensure all security solutions are fully patched.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityExploitHackerransomwareSecurityThreatVulnerabilityzero-day

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

W3LL Phishing Kit Takedown Disrupts Global Credential Theft and MFA Bypass

Next Post

108 Malicious Chrome Extensions Steal User Data via Shared Infrastructure

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
July 2, 2026
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us