CVE-2025-63602
📋 TL;DR
This vulnerability in Awesome Miner allows unprivileged users to read and write kernel memory and Model-Specific Registers (MSRs) due to an insecure driver implementation. Attackers can exploit this to escalate privileges locally, disclose sensitive information, cause denial of service, or manipulate system behavior. Users running Awesome Miner versions through 11.2.4 on Windows systems are affected.
💻 Affected Systems
- Awesome Miner
📦 What is this software?
Awesome Miner by Awesomeminer
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via local privilege escalation to SYSTEM/NT AUTHORITY, enabling persistent backdoors, credential theft, disabling security controls, and full data exfiltration.
Likely Case
Local privilege escalation allowing attackers to gain administrative privileges on the compromised system, potentially leading to lateral movement within the network.
If Mitigated
Limited impact if proper endpoint protection detects and blocks driver loading or if systems are isolated from critical infrastructure.
🎯 Exploit Status
Exploitation requires local access but is straightforward once the vulnerable driver is loaded. The technical details and proof-of-concept are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.awesomeminer.com/download
Restart Required: No
Instructions:
1. Check for updated version on Awesome Miner website. 2. If update available, download and install. 3. Verify driver version is updated. 4. Remove older vulnerable versions.
🔧 Temporary Workarounds
Remove/Disable Vulnerable Driver
windowsUninstall Awesome Miner or disable the IntelliBreeze.Maintenance.Service.sys driver to prevent exploitation.
sc stop IntelliBreeze.Maintenance.Service
sc delete IntelliBreeze.Maintenance.Service
Remove or rename C:\Windows\System32\drivers\IntelliBreeze.Maintenance.Service.sys
Restrict Driver Loading via Group Policy
windowsUse Windows Group Policy to block loading of the vulnerable driver.
gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> System Services -> Find IntelliBreeze.Maintenance.Service -> Set to Disabled
🧯 If You Can't Patch
- Uninstall Awesome Miner completely from affected systems.
- Implement application control policies to prevent execution of Awesome Miner and loading of its drivers.
🔍 How to Verify
Check if Vulnerable:
Check if IntelliBreeze.Maintenance.Service.sys driver exists in C:\Windows\System32\drivers\ and verify Awesome Miner version is 11.2.4 or earlier.Check Version:
Check Awesome Miner interface for version number or examine installed programs in Control Panel.Verify Fix Applied:
Confirm the vulnerable driver is removed or renamed, and Awesome Miner is either updated to a patched version or uninstalled.📡 Detection & Monitoring
Log Indicators:
- Event ID 7045: Service installed in registry
- Driver load events for IntelliBreeze.Maintenance.Service.sys
- Process creation for AwesomeMiner.exe
Network Indicators:
- Unusual outbound connections from mining software to unknown destinations
SIEM Query:
source="*security*" AND (event_id=7045 AND service_name="IntelliBreeze.Maintenance.Service" OR image_path="*IntelliBreeze.Maintenance.Service.sys")