CVE-2025-67790
📋 TL;DR
An unprivileged user can cause a Blue Screen of Death (BSOD) on Windows computers running vulnerable DriveLock versions by sending a specific IOCTL with an unterminated string. This affects DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. The vulnerability allows local denial of service attacks.
💻 Affected Systems
- DriveLock
📦 What is this software?
Drivelock by Drivelock
Drivelock by Drivelock
Drivelock by Drivelock
⚠️ Risk & Real-World Impact
Worst Case
System-wide denial of service causing BSOD crashes, potential data loss from unsaved work, and disruption of business operations on affected endpoints.
Likely Case
Local users causing intermittent BSOD crashes on their own or other users' systems, leading to productivity loss and IT support overhead.
If Mitigated
Minimal impact with proper patch management and user privilege restrictions preventing unprivileged users from executing the exploit.
🎯 Exploit Status
Exploitation requires local access and sending specific IOCTL with malformed string. No authentication bypass needed beyond basic user access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.1.6, 24.2.7, or 25.1.5
Vendor Advisory: https://drivelock.help/versions/2025_1/web/en/releasenotes/Content/ReleaseNotes_DriveLock/SecurityBulletins/25-005-BufferOverreadBSOD.htm
Restart Required: Yes
Instructions:
1. Download appropriate patch version from DriveLock vendor portal. 2. Deploy patch to affected systems. 3. Restart systems to complete installation.
🔧 Temporary Workarounds
Restrict user privileges
windowsLimit standard user privileges to reduce attack surface
Application control policies
windowsImplement application whitelisting to prevent unauthorized IOCTL calls
🧯 If You Can't Patch
- Implement strict user privilege management to limit who can execute potentially malicious code
- Monitor systems for BSOD events and investigate any unusual crashes
🔍 How to Verify
Check if Vulnerable:
Check DriveLock version in Control Panel > Programs and Features or via DriveLock management consoleCheck Version:
wmic product where name="DriveLock" get versionVerify Fix Applied:
Verify installed version is 24.1.6, 24.2.7, or 25.1.5 or higher📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing BSOD events (Event ID 41)
- DriveLock logs showing IOCTL errors
Network Indicators:
- No network indicators - local exploit only
SIEM Query:
EventID=41 AND Source="Microsoft-Windows-Kernel-Power" AND ComputerName IN (affected_systems)