CVE-2025-0221 – A local null pointer dereference vulnerability ... (How to Fix)

📋 TL;DR

A local null pointer dereference vulnerability in IOBit Protected Folder's pffilter.sys driver allows attackers to cause denial of service (system crash/BSOD) through specially crafted IOCTL requests. This affects users of IOBit Protected Folder up to version 1.3.0 on Windows systems. The vulnerability requires local access to exploit.

💻 Affected Systems

Products:

IOBit Protected Folder

Versions: Up to and including version 1.3.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable by default. The pffilter.sys driver loads with the software.

📦 What is this software?

Protected Folder by I0bit

View all CVEs affecting Protected Folder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

System crash/Blue Screen of Death (BSOD) leading to denial of service, potential data loss if unsaved work exists, and system downtime.

🟠

Likely Case

Local denial of service attack causing system instability or crash, requiring reboot to restore functionality.

🟢

If Mitigated

Limited impact with proper access controls preventing unauthorized local users from executing the exploit.

🌐 Internet-Facing: LOW - This is a local-only vulnerability that cannot be exploited remotely over the internet.

🏢 Internal Only: MEDIUM - Requires local access, so internal users with malicious intent or compromised accounts could exploit it to cause system disruption.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit code has been publicly disclosed. Requires local user access with sufficient privileges to interact with the driver. The vulnerability is in the IOCTL handler at function 0x22200c.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - vendor did not respond to disclosure

Vendor Advisory: None available

Restart Required: Yes

Instructions:

1. Check IOBit website for updated version beyond 1.3.0
2. If update available, download and install
3. Restart system to ensure clean driver load
4. Verify pffilter.sys driver version has changed

🔧 Temporary Workarounds

Disable or uninstall IOBit Protected Folder

windows

Remove the vulnerable software to eliminate the attack surface

Control Panel > Programs > Uninstall IOBit Protected Folder

Restrict access to pffilter.sys driver

windows

Use Windows security policies to limit which users can interact with the vulnerable driver

🧯 If You Can't Patch

Implement strict local access controls to prevent unauthorized users from running arbitrary code
Monitor for crash dumps or system instability events that might indicate exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check IOBit Protected Folder version in Control Panel > Programs. If version is 1.3.0 or earlier, system is vulnerable.

Check Version:

wmic product where name="IOBit Protected Folder" get version

Verify Fix Applied:

Verify IOBit Protected Folder is uninstalled or updated to version beyond 1.3.0. Check that pffilter.sys driver is not loaded in system.

📡 Detection & Monitoring

Log Indicators:

System crash/BSOD events in Windows Event Logs
Unexpected system reboots
Driver crash events related to pffilter.sys

Network Indicators:

None - this is a local-only vulnerability

SIEM Query:

EventID=41 OR EventID=1001 OR (Source="System" AND EventID=7031 AND "pffilter")

📊 Metadata

CVE ID: CVE-2025-0221

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-404

EPSS Score: 0.07% exploit probability (20.5th percentile)

Published: January 5, 2025

Last Updated: January 23, 2025

🔗 References

https://shareforall.notion.site/IOBit-Protected-Folder-pffilter-0x22200C-NPD-DOS-15260437bb1e80b2a477d42396d5d06c Exploit,Third Party Advisory
https://vuldb.com/?ctiid.290200 Permissions Required
https://vuldb.com/?id.290200 Third Party Advisory
https://vuldb.com/?submit.466955 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0221, you might also want to check these: