Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Lenovo Driver Exploited to Disrupt Security Systems

Lenovo Driver Exploited to Disrupt Security Systems

Posted on May 22, 2026 By CWS

Cybersecurity experts have identified a potential threat in which hackers are exploiting a signed Lenovo driver to bypass security processes. This technique, known as Bring Your Own Vulnerable Driver (BYOVD), allows attackers to circumvent endpoint protection mechanisms effectively.

Analysis of the Threat

Security analyst Jehad Abudagga has investigated the Lenovo driver, BootRepair.sys, which is linked to the Lenovo PC Manager. The findings revealed that this driver could be misused to terminate any processes at the kernel level. At the time of analysis, the driver was digitally signed by Lenovo and showed no alerts on VirusTotal, indicating its potential for stealthy exploitation.

The investigation showed that the driver creates a device object named Device::BootRepair without secure access controls, allowing low-privileged users to interact with it. Additionally, a symbolic link DosDevicesBootRepair exposes the device to user-mode applications, lacking proper access control checks during IRP_MJ_CREATE requests.

Vulnerability Details

Further scrutiny of the driver’s IOCTL handler revealed a control code, 0x222014, which takes a 4-byte input buffer containing a process ID (PID). This PID is used by an internal function that terminates processes via the Windows kernel API ZwTerminateProcess. This vulnerability allows any user to terminate critical processes, including protected security services.

Two main attack scenarios arise from these vulnerabilities. If the driver is already present on a system, a low-privileged attacker can terminate antivirus or Endpoint Detection and Response (EDR) processes. Alternatively, attackers can deploy the driver as part of a BYOVD attack to disable defenses before executing further exploits.

Security Implications and Protections

The research underscores the increasing risk posed by BYOVD attacks, where adversaries exploit trusted drivers to compromise endpoint protections. Since the driver is signed and initially undetected, it can evade traditional security measures based on signature trust.

To mitigate these risks, organizations should block known vulnerable drivers using Microsoft’s recommended blocklist, monitor for suspicious driver activities, restrict loading of unapproved drivers, and utilize EDR solutions that detect misuse of legitimate drivers.

As attackers continue to exploit trusted components, enforcing proactive driver control and behavioral detection strategies is essential to safeguarding modern computing environments.

Cyber Security News Tags:BYOVD, CrowdStrike, Cybersecurity, driver vulnerability, EDR, endpoint protection, Exploit, Hacking, IOCTL, kernel-level, Lenovo, Malware, process termination, Security, Windows API

Post navigation

Previous Post: TrendAI Fixes Exploited Apex One Vulnerability
Next Post: Canadian Arrested for Operating Kimwolf DDoS Botnet

Related Posts

New GhostLocker Tool that Uses Windows AppLocker to Neutralize and Control EDR New GhostLocker Tool that Uses Windows AppLocker to Neutralize and Control EDR Cyber Security News
CanisterWorm Malware Targets npm, Compromises Developer Accounts CanisterWorm Malware Targets npm, Compromises Developer Accounts Cyber Security News
Hackers Exploit Critical WebLogic RCE Flaw Rapidly Hackers Exploit Critical WebLogic RCE Flaw Rapidly Cyber Security News
Starbucks Faces Cyber Breach: 10GB Data Allegedly Stolen Starbucks Faces Cyber Breach: 10GB Data Allegedly Stolen Cyber Security News
Chinese Hackers Employ Custom Malware to Target Government Data Chinese Hackers Employ Custom Malware to Target Government Data Cyber Security News
CISA Issues ICS Advisories for Rockwell Automation, VMware, and Güralp Seismic Monitoring Systems CISA Issues ICS Advisories for Rockwell Automation, VMware, and Güralp Seismic Monitoring Systems Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Phishing Campaign Exploits AnyDesk for Espionage
  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Phishing Campaign Exploits AnyDesk for Espionage
  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark