CVE-2025-51060 is a privilege escalation vulnerability found in the CPUID cpuz.sys driver version 1.0.5.4. The vulnerability arises from the driver's improper validation of input parameters passed to the DeviceIoControl interface, specifically the IOCTL codes 0x9C402440 and 0x9C402444. These IOCTL codes allow an attacker to perform RDMSR (Read Model-Specific Register) and WRMSR (Write Model-Specific Register) operations, which are privileged CPU instructions typically restricted to kernel mode. By exploiting this flaw, an attacker can modify the MSR_LSTAR register, which controls the address of the system call handler in 64-bit Windows. This enables the attacker to hook the KiSystemCall64 function, effectively redirecting system calls to a malicious handler. The attacker then uses Return-Oriented Programming (ROP) techniques to manipulate the stack with carefully chosen instruction sequences (gadgets), disable the Supervisor Mode Access Prevention (SMAP) flag in the CR4 control register, and execute user-mode syscall handlers within kernel context. This chain of actions allows the attacker to bypass kernel security mechanisms and execute arbitrary code with kernel privileges. The vulnerability is confirmed to work on 64-bit Windows systems where the core isolation feature is either disabled or not present. It remains unconfirmed whether 32-bit Windows systems are affected. Core isolation is a security feature that provides virtualization-based security to protect critical kernel components, and its absence or disablement increases the attack surface. No patches or fixes have been publicly disclosed yet, and there are no known exploits in the wild at this time. The vulnerability requires local access to the system to invoke the vulnerable IOCTL calls, but it does not require user interaction beyond that. The lack of input validation and the ability to perform privileged CPU instructions from user mode make this a severe security issue that could be leveraged for full system compromise.

For European organizations, this vulnerability poses a significant risk, especially in environments where CPUID's CPU-Z driver is installed and core isolation is disabled or unsupported. Successful exploitation would allow attackers to escalate privileges from user mode to kernel mode, potentially leading to complete system compromise, data theft, or disruption of critical services. This could impact confidentiality, integrity, and availability of sensitive information and systems. Organizations relying on Windows 64-bit systems without core isolation enabled are particularly vulnerable. The ability to bypass kernel protections undermines endpoint security controls and could facilitate the deployment of persistent malware, rootkits, or ransomware. Given that core isolation is not universally enabled by default and may be disabled for compatibility reasons, many enterprise systems remain exposed. This vulnerability could be exploited by insider threats or malware that gains initial user-level access, amplifying the damage. The absence of known exploits in the wild currently limits immediate risk, but the technical details suggest a high potential for weaponization. European organizations in sectors with high-value targets such as finance, government, critical infrastructure, and technology are at elevated risk due to the potential for impactful kernel-level compromise.

To mitigate this vulnerability, European organizations should: 1) Immediately verify whether CPUID cpuz.sys version 1.0.5.4 or similar vulnerable versions are present on their systems and remove or update the driver if possible. 2) Enable Windows core isolation and memory integrity features across all 64-bit Windows endpoints to prevent exploitation, as these features block unauthorized kernel code execution and protect critical kernel structures. 3) Implement strict application whitelisting and device control policies to prevent unauthorized installation or use of vulnerable drivers. 4) Monitor for unusual DeviceIoControl calls with the specified IOCTL codes (0x9C402440 and 0x9C402444) using endpoint detection and response (EDR) tools to detect potential exploitation attempts. 5) Restrict local user privileges to minimize the ability of attackers to invoke privileged IOCTLs. 6) Maintain up-to-date endpoint protection solutions capable of detecting ROP and kernel hooking techniques. 7) Engage with CPUID or relevant vendors for patches or updated driver versions and apply them promptly once available. 8) Conduct regular security audits and penetration testing to identify and remediate similar privilege escalation vectors. These steps go beyond generic advice by focusing on driver management, kernel protection features, and behavioral monitoring specific to this vulnerability's exploitation method.