CVE-2025-14252
📋 TL;DR
An Improper Access Control vulnerability in Advantech SUSI driver (susi.sys) allows attackers with local access to read/write arbitrary memory, I/O ports, and MSRs. This can lead to privilege escalation, arbitrary code execution, and information disclosure. Affects Advantech SUSI version 5.0.24335 and prior.
💻 Affected Systems
- Advantech SUSI driver (susi.sys)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with kernel-level code execution, allowing attackers to install persistent malware, steal sensitive data, or disable security controls.
Likely Case
Local privilege escalation from standard user to SYSTEM/root privileges, enabling installation of additional malware or credential theft.
If Mitigated
Limited impact if proper access controls prevent local user access or if driver is not loaded.
🎯 Exploit Status
Exploitation requires local access but appears straightforward based on vulnerability description. No public exploit code identified at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 5.0.24335
Vendor Advisory: https://www.txone.com/psirt/advisories/CVE-2025-14252
Restart Required: Yes
Instructions:
1. Visit Advantech support portal or contact vendor for updated SUSI driver. 2. Download and install the patched version. 3. Restart affected systems to load the updated driver.
🔧 Temporary Workarounds
Disable SUSI driver
windowsPrevent the vulnerable driver from loading by disabling or removing it
sc stop susi
sc config susi start= disabled
Restrict driver loading
windowsUse Windows Driver Signature Enforcement to prevent unsigned/unauthorized drivers
bcdedit /set nointegritychecks off
bcdedit /set testsigning off
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to affected systems
- Monitor for suspicious driver loading or privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check SUSI driver version: Open Device Manager, locate SUSI driver under System devices, check Properties > Driver tab for version number.Check Version:
driverquery /v | findstr /i susiVerify Fix Applied:
Verify driver version is greater than 5.0.24335 using same method as above.📡 Detection & Monitoring
Log Indicators:
- Event ID 6005 (Driver loaded) for susi.sys
- Unexpected privilege escalation events
- Suspicious driver loading patterns
Network Indicators:
- Not applicable - local exploitation only
SIEM Query:
EventID=6005 AND (DriverName="susi.sys" OR ImagePath="*susi*")