CVE-2025-14963
📋 TL;DR
A vulnerability in Trellix HX Agent's fekern.sys driver allows local attackers to escalate privileges and access lsass.exe memory via BYOVD techniques. Only systems with Trellix HX Agent installed are affected, but exploitation requires bypassing the agent's tamper protection first.
💻 Affected Systems
- Trellix HX Agent
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via credential theft from lsass.exe memory, leading to domain admin access and lateral movement across the network.
Likely Case
Local privilege escalation on individual workstations/servers, enabling persistence and credential harvesting from compromised systems.
If Mitigated
No exploitation possible due to tamper protection preventing communication with the vulnerable driver.
🎯 Exploit Status
Exploitation requires: 1) Local user access 2) Bypass of HX Agent tamper protection 3) BYOVD technique to load and exploit the vulnerable driver.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Trellix advisory for specific patched versions
Vendor Advisory: https://thrive.trellix.com/s/article/000015100
Restart Required: Yes
Instructions:
1. Review Trellix advisory 2. Update HX Agent to latest version 3. Restart affected systems 4. Verify tamper protection remains enabled.
🔧 Temporary Workarounds
Enable Tamper Protection
windowsEnsure HX Agent tamper protection is enabled to prevent unauthorized communication with the driver.
Restrict Local Access
allImplement least privilege and restrict local user access to sensitive systems.
🧯 If You Can't Patch
- Ensure HX Agent tamper protection is enabled and monitored for any disablement attempts.
- Implement application control policies to block unauthorized driver loading and monitor for BYOVD activity.
🔍 How to Verify
Check if Vulnerable:
Check if fekern.sys driver file exists in system drivers directory and verify HX Agent version against patched versions in advisory.Check Version:
Check HX Agent version via agent console or installed programs list.Verify Fix Applied:
Verify HX Agent is updated to patched version and tamper protection is enabled in agent console.📡 Detection & Monitoring
Log Indicators:
- Unexpected driver loading events
- Tamper protection disablement attempts
- Lsass.exe memory access by non-system processes
Network Indicators:
- Unusual outbound connections from systems with HX Agent
SIEM Query:
Search for Event ID 7045 (Service installation) or Sysmon Event ID 6 (Driver loaded) for fekern.sys or suspicious drivers.