CVE-2025-51060
📋 TL;DR
This vulnerability in CPUID cpuz.sys driver allows attackers to execute arbitrary code with kernel privileges by exploiting unvalidated DeviceIoControl parameters. It enables MSR manipulation to hook system calls and bypass security mechanisms like SMAP. Affected users are those running CPUID software with the vulnerable driver on 64-bit Windows systems without core isolation.
💻 Affected Systems
- CPUID cpuz.sys driver
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with kernel-level code execution, allowing attackers to install persistent malware, steal credentials, and bypass all security controls.
Likely Case
Privilege escalation from user to kernel mode, enabling installation of rootkits, disabling security software, and accessing protected system resources.
If Mitigated
Limited impact if core isolation is enabled and properly configured, as this prevents exploitation according to the description.
🎯 Exploit Status
Exploitation requires local access and knowledge of ROP techniques. Proof-of-concept code may exist in referenced GitHub repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown - check vendor for updated version
Vendor Advisory: http://cpuid.com
Restart Required: No
Instructions:
1. Visit CPUID website for updates. 2. Download and install latest version. 3. Verify cpuz.sys driver is updated. 4. Consider removing unnecessary driver if not needed.
🔧 Temporary Workarounds
Enable Core Isolation
Windows 10/11Enable Windows Security Core Isolation feature to prevent exploitation
Windows Security → Device Security → Core Isolation Details → Enable Memory Integrity
Remove/Disable Driver
WindowsUninstall CPUID software or disable the cpuz.sys driver if not required
sc stop cpuz
sc delete cpuz
Remove via Programs and Features
🧯 If You Can't Patch
- Enable Windows Defender Application Control to block unauthorized drivers
- Implement least privilege principles and restrict local access to sensitive systems
🔍 How to Verify
Check if Vulnerable:
Check driver version: Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\cpuz' | Select-Object ImagePathCheck Version:
driverquery /v | findstr cpuzVerify Fix Applied:
Verify driver version is updated or driver is removed from system📡 Detection & Monitoring
Log Indicators:
- DeviceIoControl calls with IoControlCodes 0x9C402440 or 0x9C402444
- Unexpected MSR access attempts
- Driver loading events for cpuz.sys
Network Indicators:
- None - local exploitation only
SIEM Query:
EventID=4656 OR EventID=4663 AND ObjectName LIKE '%cpuz.sys%' OR ProcessName='DeviceIoControl' AND IoControlCode IN ('0x9C402440', '0x9C402444')