CVE-2025-63602 is a critical local privilege escalation vulnerability discovered in Awesome Miner software versions up to 11.2.4. The root cause is the inclusion of an insecure version of the WinRing0 driver (version 1.2.0.5), renamed as IntelliBreeze.Maintenance.Service.sys, which lacks a properly secured discretionary access control list (DACL). This misconfiguration allows any unprivileged user on the system to interact directly with the driver, enabling arbitrary read and write access to kernel memory and model-specific registers (MSRs) such as LSTAR, which controls system call entry points. By manipulating these kernel-level resources, an attacker can execute arbitrary code with kernel privileges, leading to local privilege escalation. The vulnerability can also cause information disclosure by reading sensitive kernel memory and denial of service by corrupting critical kernel structures. The lack of authentication or user interaction requirements means any local user can exploit this flaw. Although no known public exploits have been reported yet, the vulnerability is severe due to the direct kernel memory access it grants. The affected software is primarily used on Windows platforms, and the vulnerability is tied to the driver implementation within Awesome Miner. This flaw highlights the risks of including third-party drivers without proper security hardening and access controls.

For European organizations, this vulnerability poses significant risks, especially those using Awesome Miner for cryptocurrency mining or related IT operations. Successful exploitation allows attackers with local access to escalate privileges to SYSTEM or kernel level, potentially bypassing security controls and gaining full control over affected machines. This can lead to theft of sensitive data, deployment of persistent malware, disruption of mining operations, or broader network compromise if lateral movement is achieved. Information disclosure risks may expose confidential kernel memory contents, aiding further attacks. Denial of service impacts could disrupt critical infrastructure or business continuity. Organizations with shared or multi-user environments, such as mining farms or managed service providers, are particularly vulnerable. The absence of known exploits currently reduces immediate risk, but the vulnerability’s nature makes it a prime target for attackers seeking local privilege escalation on Windows systems.

To mitigate CVE-2025-63602, European organizations should immediately audit their use of Awesome Miner software and identify any installations running versions up to 11.2.4. Since no official patch or update links are provided, organizations should contact the vendor for a secure update or guidance on replacing the vulnerable WinRing0 driver with a properly secured version. Restrict local user permissions to prevent untrusted users from accessing or interacting with the driver. Employ application whitelisting and endpoint detection to monitor for suspicious driver interactions or kernel memory access attempts. Consider isolating mining operations on dedicated, hardened systems with minimal user access. Regularly review and harden discretionary access control lists (DACLs) on kernel drivers and services. Implement robust logging and alerting for privilege escalation attempts. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential exploitation.