CVE-2020-36603: n/a in n/a
The HoYoVerse (formerly miHoYo) Genshin Impact mhyprot2.sys 1.0.0.0 anti-cheat driver does not adequately restrict unprivileged function calls, allowing local, unprivileged users to execute arbitrary code with SYSTEM privileges on Microsoft Windows systems. The mhyprot2.sys driver must first be installed by a user with administrative privileges.
AI Analysis
Technical Summary
CVE-2020-36603 is a local privilege escalation vulnerability found in the mhyprot2.sys anti-cheat driver version 1.0.0.0 used by HoYoVerse's (formerly miHoYo) Genshin Impact game on Microsoft Windows systems. The vulnerability arises because the driver does not adequately restrict unprivileged function calls, allowing a local user without elevated privileges to execute arbitrary code with SYSTEM-level privileges. This means that once the driver is installed by an administrator, any local user on the system can exploit this flaw to gain full control over the affected Windows machine. The driver acts at a kernel level, which makes this vulnerability particularly dangerous as it can bypass many security controls and protections. Exploitation requires that the vulnerable driver is installed, which in turn requires administrative privileges initially, and some user interaction (UI:R) to trigger the exploit. The CVSS 3.1 base score is 6.5, indicating a medium severity, with high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The vulnerability is classified under CWE-269 (Improper Privilege Management). There are no known exploits in the wild reported yet, and no patches or updates have been linked in the provided information. The vulnerability affects Windows systems running the specific version of the mhyprot2.sys driver bundled with Genshin Impact, a popular online game. This driver is designed as an anti-cheat mechanism but introduces a significant security risk due to improper access control on its functions.
Potential Impact
For European organizations, the impact of this vulnerability could be significant if Genshin Impact or other HoYoVerse products using the vulnerable driver are installed on corporate or personal Windows systems within the organization. An attacker with local access (e.g., via a compromised user account or physical access) could escalate privileges to SYSTEM level, potentially leading to full system compromise. This could result in unauthorized access to sensitive corporate data, installation of persistent malware, disruption of services, or lateral movement within the network. Although the initial installation requires administrative rights, the presence of this vulnerability lowers the barrier for privilege escalation once the driver is installed. Organizations with employees who play Genshin Impact on corporate devices or have the game installed on endpoints connected to the corporate network are at risk. Additionally, gaming cafes or internet service providers hosting gaming environments could be targeted. The vulnerability could also be leveraged in targeted attacks against high-value individuals or organizations if the attacker can gain local access. The lack of known exploits in the wild reduces immediate risk, but the medium severity and high impact warrant proactive mitigation.
Mitigation Recommendations
1. Remove or uninstall the Genshin Impact game and associated mhyprot2.sys driver from any corporate or sensitive systems where it is not essential. 2. Restrict installation of unauthorized software, including games, on corporate endpoints to prevent the vulnerable driver from being installed. 3. Monitor systems for the presence of the mhyprot2.sys driver and audit its usage. 4. Apply the principle of least privilege to user accounts to reduce the risk of local exploitation. 5. Use endpoint detection and response (EDR) tools to detect suspicious local privilege escalation attempts. 6. Educate users about the risks of installing unauthorized software on corporate devices. 7. Follow HoYoVerse's official channels for any patches or updates addressing this vulnerability and apply them promptly once available. 8. Implement application whitelisting to prevent execution of unauthorized drivers or kernel modules. 9. For environments where gaming is permitted, consider isolating gaming systems from critical networks to limit potential lateral movement.
Affected Countries
Germany, France, United Kingdom, Netherlands, Poland, Italy, Spain, Sweden
CVE-2020-36603: n/a in n/a
Description
The HoYoVerse (formerly miHoYo) Genshin Impact mhyprot2.sys 1.0.0.0 anti-cheat driver does not adequately restrict unprivileged function calls, allowing local, unprivileged users to execute arbitrary code with SYSTEM privileges on Microsoft Windows systems. The mhyprot2.sys driver must first be installed by a user with administrative privileges.
AI-Powered Analysis
Technical Analysis
CVE-2020-36603 is a local privilege escalation vulnerability found in the mhyprot2.sys anti-cheat driver version 1.0.0.0 used by HoYoVerse's (formerly miHoYo) Genshin Impact game on Microsoft Windows systems. The vulnerability arises because the driver does not adequately restrict unprivileged function calls, allowing a local user without elevated privileges to execute arbitrary code with SYSTEM-level privileges. This means that once the driver is installed by an administrator, any local user on the system can exploit this flaw to gain full control over the affected Windows machine. The driver acts at a kernel level, which makes this vulnerability particularly dangerous as it can bypass many security controls and protections. Exploitation requires that the vulnerable driver is installed, which in turn requires administrative privileges initially, and some user interaction (UI:R) to trigger the exploit. The CVSS 3.1 base score is 6.5, indicating a medium severity, with high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The vulnerability is classified under CWE-269 (Improper Privilege Management). There are no known exploits in the wild reported yet, and no patches or updates have been linked in the provided information. The vulnerability affects Windows systems running the specific version of the mhyprot2.sys driver bundled with Genshin Impact, a popular online game. This driver is designed as an anti-cheat mechanism but introduces a significant security risk due to improper access control on its functions.
Potential Impact
For European organizations, the impact of this vulnerability could be significant if Genshin Impact or other HoYoVerse products using the vulnerable driver are installed on corporate or personal Windows systems within the organization. An attacker with local access (e.g., via a compromised user account or physical access) could escalate privileges to SYSTEM level, potentially leading to full system compromise. This could result in unauthorized access to sensitive corporate data, installation of persistent malware, disruption of services, or lateral movement within the network. Although the initial installation requires administrative rights, the presence of this vulnerability lowers the barrier for privilege escalation once the driver is installed. Organizations with employees who play Genshin Impact on corporate devices or have the game installed on endpoints connected to the corporate network are at risk. Additionally, gaming cafes or internet service providers hosting gaming environments could be targeted. The vulnerability could also be leveraged in targeted attacks against high-value individuals or organizations if the attacker can gain local access. The lack of known exploits in the wild reduces immediate risk, but the medium severity and high impact warrant proactive mitigation.
Mitigation Recommendations
1. Remove or uninstall the Genshin Impact game and associated mhyprot2.sys driver from any corporate or sensitive systems where it is not essential. 2. Restrict installation of unauthorized software, including games, on corporate endpoints to prevent the vulnerable driver from being installed. 3. Monitor systems for the presence of the mhyprot2.sys driver and audit its usage. 4. Apply the principle of least privilege to user accounts to reduce the risk of local exploitation. 5. Use endpoint detection and response (EDR) tools to detect suspicious local privilege escalation attempts. 6. Educate users about the risks of installing unauthorized software on corporate devices. 7. Follow HoYoVerse's official channels for any patches or updates addressing this vulnerability and apply them promptly once available. 8. Implement application whitelisting to prevent execution of unauthorized drivers or kernel modules. 9. For environments where gaming is permitted, consider isolating gaming systems from critical networks to limit potential lateral movement.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2022-09-14T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6840c579182aa0cae2c16b62
Added to database: 6/4/2025, 10:15:21 PM
Last enriched: 7/7/2025, 2:25:03 AM
Last updated: 8/16/2025, 1:35:28 PM
Views: 20
Related Threats
CVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57702: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57701: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.