CVE-2023-1626 – This is a critical local privilege escalation v... (How to Fix)

Q: What is the severity of CVE-2023-1626?

CVE-2023-1626 has a CVSS score of 5.3 (MEDIUM). This is a critical local privilege escalation vulnerability in Jianming Antivirus 16.2.2022.418. The vulnerability exists in the kvcore.sys driver's IoControlCode handler where memory corruption can be exploited by local attackers to execute arbitrary code with kernel privileges. Only users of this specific antivirus version are affected.

📋 TL;DR

This is a critical local privilege escalation vulnerability in Jianming Antivirus 16.2.2022.418. The vulnerability exists in the kvcore.sys driver's IoControlCode handler where memory corruption can be exploited by local attackers to execute arbitrary code with kernel privileges. Only users of this specific antivirus version are affected.

💻 Affected Systems

Products:

Jianming Antivirus

Versions: 16.2.2022.418

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with this specific antivirus version installed. The vulnerability is in the kernel driver kvcore.sys.

📦 What is this software?

Jiangmin Antivirus by Jiangmin

View all CVEs affecting Jiangmin Antivirus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via kernel-level code execution, allowing attackers to install persistent malware, bypass security controls, and access all system resources.

🟠

Likely Case

Local privilege escalation from a standard user account to SYSTEM/administrator privileges, enabling installation of additional malware or credential theft.

🟢

If Mitigated

Limited impact if antivirus is patched or removed, though initial compromise would still require local access.

🌐 Internet-Facing: LOW - Requires local access to exploit, cannot be triggered remotely.

🏢 Internal Only: HIGH - Local attackers or malware with user-level access can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit code is publicly available on GitHub. Requires local execution privileges to trigger the vulnerable IoControlCode handler.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check for updates in Jianming Antivirus. 2. If no update is available, consider uninstalling the software. 3. Monitor vendor channels for security updates.

🔧 Temporary Workarounds

Uninstall Jianming Antivirus

windows

Remove the vulnerable software entirely to eliminate the attack surface

Control Panel > Programs > Uninstall a program > Select Jianming Antivirus > Uninstall

Restrict driver loading

windows

Prevent loading of the vulnerable kvcore.sys driver

sc stop jmfw
sc config jmfw start= disabled

🧯 If You Can't Patch

Implement strict local access controls and user privilege management
Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check antivirus version in program settings or via 'wmic product get name,version' for Jianming Antivirus version 16.2.2022.418

Check Version:

wmic product where "name like '%Jianming%'" get name,version

Verify Fix Applied:

Verify antivirus version is updated beyond 16.2.2022.418 or that the software is completely removed

📡 Detection & Monitoring

Log Indicators:

Unusual driver loading events for kvcore.sys
Process creation with SYSTEM privileges from user accounts
Antivirus service crashes or unexpected restarts

Network Indicators:

No network indicators - purely local exploitation

SIEM Query:

EventID=7045 AND ServiceName="jmfw" OR ProcessName="kvcore.sys"

📊 Metadata

CVE ID: CVE-2023-1626

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-119

Published: March 25, 2023

Last Updated: November 21, 2024

🔗 References

https://drive.google.com/file/d/1soMFXUAYkCttFDA_icry6q-irb2jdAxw/view Exploit,Third Party Advisory
https://github.com/zeze-zeze/WindowsKernelVuln/tree/master/unassigned31 Third Party Advisory
https://vuldb.com/?ctiid.224008 Permissions Required,Third Party Advisory
https://vuldb.com/?id.224008 Third Party Advisory
https://drive.google.com/file/d/1soMFXUAYkCttFDA_icry6q-irb2jdAxw/view Exploit,Third Party Advisory
https://github.com/zeze-zeze/WindowsKernelVuln/tree/master/unassigned31 Third Party Advisory
https://vuldb.com/?ctiid.224008 Permissions Required,Third Party Advisory
https://vuldb.com/?id.224008 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-1626, you might also want to check these: