![Logo landing page 232x64 with border.png]](https://support.safetica.com/hs-fs/hubfs/Marketing/Safetica_logo_/Logo%20landing%20page%20232x64%20with%20border.png?width=145&height=40&name=Logo%20landing%20page%20232x64%20with%20border.png){kind=logo}
CVE-2025-70795: ProcessMonitorDriver Vulnerability (BYOVD)
✍️ Applies to: Devices running Safetica Client for Windows
Vulnerability overview
A vulnerability was found in the Safetica Client kernel driver ProcessMonitorDriver.sys that could be abused to perform privileged operations such as process termination via a driver IOCTL interface.
This issue was disclosed independently, without prior coordination with Safetica.
- CVE: CVE-2025-70795
- Severity (CVSS score): CVSS 4.0: 1.8 (Low); CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
- Exploitability: local only (requires prior system compromise)
- Privileges required: LocalSystem
- Affected deployments: Safetica On-Prem and cloud-hosted Safetica
What an attacker could achieve
An attacker with LocalSystem privileges could interact with the driver to perform operations such as terminating processes. However, this does not provide meaningful additional capabilities beyond what is already available at this privilege level.
Impact and exploitability
The vulnerability cannot be exploited by low-privileged users.
Successful exploitation requires execution under the LocalSystem account, meaning the attacker must already fully control the affected machine.
As a result:
- No privilege escalation is possible
- The issue is limited to post-exploitation scenarios only
While certain operations (e.g., process termination) remain possible, they do not significantly increase attacker capabilities beyond what LocalSystem already provides.
Relation to CVE-2026-0828
This issue is closely related to CVE-2026-0828 and shares the same underlying root cause:
Insufficient access control to the driver IOCTL interface
The fix implemented for CVE-2026-0828:
- Restricts access to the driver interface to LocalSystem only
This mitigation:
- Prevents access from low-privileged users
- Eliminates the privilege escalation vector
- Effectively mitigates the exploitation scenario described in CVE-2025-70795
✅ Remediation
Please update to a fixed Safetica version containing driver 11.26.18 or newer as soon as possible.
Affected and fixed Safetica versions
|
Safetica |
Affected versions |
Fixed from version |
|
Safetica 11 – Cumulative release |
< 11.26.19 |
11.26.19 and newer |
|
Safetica 11 – Feature release |
< 11.29.8 |
11.29.8 and newer |
|
Safetica 10 |
< 10.5.150 |
10.5.150 and newer |
Fixed in the same versions as CVE-2026-0828.
There are two options for updating:
- We recommend updating via the XML. Learn how to perform the update here.
- To update via the Universal Installer, run the installer, select Manual installation, and choose to install Safetica Management Service.
Conclusion
CVE-2025-70795 does not represent a new, independently exploitable vulnerability.
It is a variation of the issue addressed in CVE-2026-0828, and the implemented fix fully mitigates its practical impact by removing access from low-privileged users.