Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Lenovo Driver Exploited to Disrupt Security Systems

Lenovo Driver Exploited to Disrupt Security Systems

Posted on May 22, 2026 By CWS

Cybersecurity experts have identified a potential threat in which hackers are exploiting a signed Lenovo driver to bypass security processes. This technique, known as Bring Your Own Vulnerable Driver (BYOVD), allows attackers to circumvent endpoint protection mechanisms effectively.

Analysis of the Threat

Security analyst Jehad Abudagga has investigated the Lenovo driver, BootRepair.sys, which is linked to the Lenovo PC Manager. The findings revealed that this driver could be misused to terminate any processes at the kernel level. At the time of analysis, the driver was digitally signed by Lenovo and showed no alerts on VirusTotal, indicating its potential for stealthy exploitation.

The investigation showed that the driver creates a device object named Device::BootRepair without secure access controls, allowing low-privileged users to interact with it. Additionally, a symbolic link DosDevicesBootRepair exposes the device to user-mode applications, lacking proper access control checks during IRP_MJ_CREATE requests.

Vulnerability Details

Further scrutiny of the driver’s IOCTL handler revealed a control code, 0x222014, which takes a 4-byte input buffer containing a process ID (PID). This PID is used by an internal function that terminates processes via the Windows kernel API ZwTerminateProcess. This vulnerability allows any user to terminate critical processes, including protected security services.

Two main attack scenarios arise from these vulnerabilities. If the driver is already present on a system, a low-privileged attacker can terminate antivirus or Endpoint Detection and Response (EDR) processes. Alternatively, attackers can deploy the driver as part of a BYOVD attack to disable defenses before executing further exploits.

Security Implications and Protections

The research underscores the increasing risk posed by BYOVD attacks, where adversaries exploit trusted drivers to compromise endpoint protections. Since the driver is signed and initially undetected, it can evade traditional security measures based on signature trust.

To mitigate these risks, organizations should block known vulnerable drivers using Microsoft’s recommended blocklist, monitor for suspicious driver activities, restrict loading of unapproved drivers, and utilize EDR solutions that detect misuse of legitimate drivers.

As attackers continue to exploit trusted components, enforcing proactive driver control and behavioral detection strategies is essential to safeguarding modern computing environments.

Cyber Security News Tags:BYOVD, CrowdStrike, Cybersecurity, driver vulnerability, EDR, endpoint protection, Exploit, Hacking, IOCTL, kernel-level, Lenovo, Malware, process termination, Security, Windows API

Post navigation

Previous Post: TrendAI Fixes Exploited Apex One Vulnerability
Next Post: Canadian Arrested for Operating Kimwolf DDoS Botnet

Related Posts

Critical Apache StreamPipes Vulnerability Let Attackers Seize Admin Control Critical Apache StreamPipes Vulnerability Let Attackers Seize Admin Control Cyber Security News
1.2 Million Healthcare Devices and Systems Data Leaked Online 1.2 Million Healthcare Devices and Systems Data Leaked Online Cyber Security News
macOS Gatekeeper Explained: Strengthening System Defenses macOS Gatekeeper Explained: Strengthening System Defenses Cyber Security News
APT28 With Weaponized Office Documents Delivers BeardShell and Covenant Modules APT28 With Weaponized Office Documents Delivers BeardShell and Covenant Modules Cyber Security News
Cornwell Quality Tools Data Breach Cornwell Quality Tools Data Breach Cyber Security News
New EtherHiding Attack Uses Web-Based Attacks to Deliver Malware and Rotate Payloads New EtherHiding Attack Uses Web-Based Attacks to Deliver Malware and Rotate Payloads Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed
  • Vulnerability in GCP Dialogflow Enables Malicious Code Injection

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark