CVE-2025-14963 is a vulnerability classified under CWE-20 (Improper Input Validation) found in the fekern.sys driver component of the Trellix Endpoint HX Agent (xAgent). This driver is installed with all existing versions of the HX Agent, specifically versions 30.x through 36.30.0-17. The vulnerability allows a threat actor who already has local user access with elevated privileges to leverage a Bring Your Own Vulnerable Driver (BYOVD) attack technique. This technique enables the attacker to gain access to the memory of the Windows Local Security Authority Subsystem Service (lsass.exe), a critical process responsible for enforcing security policies and managing credentials. However, the vulnerability is mitigated by the product’s tamper protection mechanism, which restricts communication with the fekern.sys driver to only the HX Agent’s own processes, preventing direct exploitation by unauthorized processes. The CVSS 4.0 base score is 6.2, indicating medium severity, with attack vector local, high attack complexity, and privileges required at a high level. No user interaction is needed, but the attacker must have elevated local privileges. No known exploits have been reported in the wild as of the publication date. The vulnerability highlights risks associated with BYOVD attacks, which can bypass traditional security controls by loading malicious or vulnerable drivers to escalate privileges or access sensitive memory regions.

If exploited, this vulnerability could allow an attacker with local elevated privileges to access sensitive information stored in the lsass.exe process memory, such as credentials and security tokens, potentially leading to credential theft and lateral movement within the network. This could undermine the confidentiality and integrity of the affected systems. While the vulnerability does not allow remote exploitation and requires elevated privileges, its exploitation could facilitate privilege escalation and further compromise of critical systems. Organizations relying on Trellix Endpoint HX Agent for endpoint security may face increased risk of targeted attacks aiming to bypass security controls. The impact is heightened in environments where local user accounts have elevated privileges or where endpoint security is a critical defense layer. However, the built-in tamper protection reduces the likelihood of successful exploitation, limiting the scope of impact. Still, if attackers find ways to bypass tamper protection, the consequences could be severe, including unauthorized access to sensitive credentials and potential full system compromise.

Organizations should immediately verify that their Trellix Endpoint HX Agent installations are updated to versions beyond those affected (post 36.30.0-17 or vendor-released patches once available). Since no patch links are currently provided, organizations must monitor Trellix advisories for updates or hotfixes addressing this vulnerability. In the interim, enforcing the principle of least privilege to limit local user elevated access reduces exploitation risk. Strengthening endpoint security policies to prevent unauthorized driver loading and monitoring for unusual driver activity can help detect BYOVD attempts. Employing application control or driver signing enforcement mechanisms can block unauthorized or vulnerable drivers from loading. Additionally, monitoring access to lsass.exe memory and implementing credential protection technologies (such as Windows Credential Guard) can mitigate credential theft risks. Regularly auditing and restricting local administrative privileges, combined with tamper protection verification, will further reduce the attack surface. Incident response teams should be prepared to investigate any suspicious local privilege escalation attempts related to driver manipulation.