CVE-2025-6217 is a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability identified in the PEAK-System Driver, specifically within the handling of the PCANFD_ADD_FILTERS IOCTL command. This vulnerability arises due to improper locking mechanisms when operating on an object, leading to a race condition between the time a condition is checked and the time it is used. Exploiting this flaw allows a local attacker, who already has the ability to execute low-privileged code on the target system, to disclose sensitive information. While the immediate impact is information disclosure, the vulnerability can be chained with other exploits to achieve arbitrary code execution in kernel context, significantly elevating the threat level. The vulnerability affects version 8.18.0 of the PEAK-System Driver and was publicly disclosed on June 21, 2025. The CVSS v3.0 base score is 3.8, indicating a low severity primarily due to the requirement for local privileges and the absence of user interaction. The vulnerability does not directly impact integrity or availability but compromises confidentiality. No known exploits are currently reported in the wild, and no patches have been linked yet. The underlying CWE-367 classification highlights the race condition nature of the flaw, which is a common concurrency issue in software that can lead to unpredictable behavior and security weaknesses. Given the driver’s role in interfacing with CAN (Controller Area Network) hardware, often used in automotive and industrial control systems, exploitation could have broader implications if combined with other vulnerabilities or used as a foothold for deeper system compromise.

For European organizations, the primary impact of CVE-2025-6217 lies in the potential exposure of sensitive information on systems running the affected PEAK-System Driver version 8.18.0. Since the vulnerability requires local low-privileged code execution, it is most relevant in environments where attackers can gain initial access, such as through phishing, insider threats, or other local attack vectors. The driver is commonly used in automotive diagnostics, industrial automation, and embedded systems, sectors that are significant in Europe’s manufacturing and automotive industries. Disclosure of sensitive information could include configuration details, memory contents, or other data that might facilitate further exploitation or lateral movement. If chained with other vulnerabilities, attackers could escalate privileges to kernel level, leading to full system compromise. This could disrupt critical infrastructure, manufacturing processes, or automotive systems, potentially causing operational downtime or safety risks. The low CVSS score does not fully capture the risk of chained exploits or the strategic importance of affected systems in European industrial environments. Organizations relying on PEAK-System hardware and drivers should be aware of this vulnerability’s potential to serve as an initial step in sophisticated attack campaigns targeting industrial control systems or automotive technology.

1. Restrict local access: Limit the ability to execute low-privileged code locally by enforcing strict endpoint security controls, including application whitelisting and robust user privilege management. 2. Monitor and audit: Implement detailed logging and monitoring of driver-related IOCTL calls and unusual local process behaviors to detect potential exploitation attempts early. 3. Segmentation: Isolate systems running PEAK-System drivers, especially those interfacing with critical industrial or automotive networks, to reduce the attack surface and prevent lateral movement. 4. Update and patch management: Although no patches are currently linked, maintain close communication with PEAK-System for timely updates and apply patches immediately upon release. 5. Code integrity checks: Employ kernel-mode code signing enforcement and integrity verification to prevent unauthorized or malicious driver modifications. 6. Defense in depth: Combine this with network-level protections and endpoint detection and response (EDR) solutions that can identify suspicious local activities indicative of exploitation attempts. 7. Vulnerability chaining awareness: Train security teams to recognize that this vulnerability can be part of a multi-stage attack and to prioritize investigation of related anomalies that could indicate privilege escalation attempts.