CVE-2025-67246
📋 TL;DR
This vulnerability allows unprivileged local users to read arbitrary physical memory through the Ludashi driver's IOCTL handler, exposing sensitive kernel data and potentially enabling privilege escalation. It affects systems running vulnerable versions of the Ludashi driver. Attackers with local access can exploit this to bypass security mechanisms like KASLR.
💻 Affected Systems
- Ludashi driver
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through local privilege escalation leading to full administrative control, credential theft, and persistent backdoor installation.
Likely Case
Information disclosure of kernel memory contents including security tokens, passwords, and encryption keys, enabling further attacks.
If Mitigated
Limited impact with proper access controls preventing unprivileged users from executing code or accessing sensitive systems.
🎯 Exploit Status
Exploitation requires local user access but the vulnerability is straightforward to exploit once access is obtained. Public PoC exists in the GitHub repository.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.1025 or later
Vendor Advisory: http://ludashi.com
Restart Required: Yes
Instructions:
1. Visit http://ludashi.com 2. Download latest Ludashi driver version 5.1025 or newer 3. Install the updated driver 4. Restart the system
🔧 Temporary Workarounds
Remove or disable Ludashi driver
windowsUninstall the Ludashi software or disable the driver to prevent exploitation
sc stop LudashiDriver
sc delete LudashiDriver
Restrict driver access
windowsModify driver permissions to prevent normal users from accessing the vulnerable IOCTL interface
icacls "C:\Windows\System32\drivers\Ludashi.sys" /deny Users:(R,X)
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to vulnerable systems
- Monitor for suspicious driver access attempts and memory reading activities
🔍 How to Verify
Check if Vulnerable:
Check Ludashi driver version in Device Manager or using 'driverquery | findstr Ludashi' commandCheck Version:
driverquery | findstr LudashiVerify Fix Applied:
Verify driver version is 5.1025 or later and test with public PoC to confirm memory reading is prevented📡 Detection & Monitoring
Log Indicators:
- Unusual driver access attempts by non-privileged users
- Multiple IOCTL calls to Ludashi driver from user processes
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
EventID=4656 OR EventID=4663 WHERE ObjectName contains "Ludashi" AND SubjectUserName not in (Administrators)