CVE-2025-60349
📋 TL;DR
This vulnerability in Prevx v3.0.5.220 allows attackers to cause denial of service by sending a specific IOCTL code to the pxscan.sys driver, which terminates processes listed in a specific registry key. It affects systems running the vulnerable version of Prevx antivirus software. The attack requires local access to the system.
💻 Affected Systems
- Prevx
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Critical system processes could be terminated, causing complete system instability or crash, potentially requiring reboot and disrupting business operations.
Likely Case
Targeted termination of security or application processes, disrupting specific services while the system remains operational.
If Mitigated
Limited impact if registry key contains only non-critical processes or if access controls prevent unauthorized users from sending IOCTL commands.
🎯 Exploit Status
Exploit code is publicly available on GitHub. Requires local system access and ability to send IOCTL commands to the driver.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: http://prevx.com
Restart Required: No
Instructions:
Check vendor website for updates. Since Prevx appears to be discontinued, consider migrating to alternative security software.
🔧 Temporary Workarounds
Restrict registry key permissions
windowsModify permissions on the vulnerable registry key to prevent unauthorized modifications
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pxscan" /v Files /t REG_SZ /d "" /f
Remove vulnerable driver
windowsUninstall or disable the pxscan.sys driver
sc stop pxscan
sc delete pxscan
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized local access to affected systems
- Monitor for IOCTL calls with code 0x22E044 to the pxscan.sys driver
🔍 How to Verify
Check if Vulnerable:
Check if pxscan.sys driver version is 3.0.5.220 and registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pxscan\Files existsCheck Version:
driverquery /v | findstr pxscanVerify Fix Applied:
Verify pxscan.sys driver is removed or updated, and registry key is empty or removed📡 Detection & Monitoring
Log Indicators:
- Driver load events for pxscan.sys
- Process termination events for processes listed in the registry key
Network Indicators:
- Not applicable - local vulnerability
SIEM Query:
EventID=4688 AND ProcessName="*pxscan*" OR EventID=4689 AND ProcessName IN (registry key process list)