vulnerable driver Archives

Winsage

May 5, 2026

April 2026 Windows Update Breaks Third-Party Backup Software by Blocking Vulnerable Driver

Microsoft will include the psmounterex.sys driver in its Vulnerable Driver Blocklist in the April 2026 security update, affecting third-party backup applications that use this driver for image mounting and Volume Shadow Copy Service (VSS) snapshots. This decision addresses CVE-2023-43896, a critical buffer overflow vulnerability. Affected software includes Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup on Windows 11, Windows 10, and Windows Server platforms. Users may face issues during image-mount operations, receiving error messages related to VSS timeouts and Code Integrity errors in the Event Viewer. To check if a system is affected, users can look for Event ID 3077 in the Code Integrity Operational log. Microsoft recommends upgrading to newer versions of backup applications that do not use blocked drivers and advises against uninstalling or delaying the April update. Additionally, the update may cause certain Windows Server 2025 devices to boot into BitLocker recovery mode and has led to out-of-band updates for Windows Server update failures and restart loops on domain controllers.

Winsage

May 5, 2026

Defender yanks root certs as Windows updates blocks backups

Microsoft's Defender anti-malware tool update version 1.449.425.0 removed two DigiCert root digital certificates, leading to false positives that flagged them as severe malware (Trojan:Win32/Cerdigent.A!dha). This incident was later identified as a false positive, and updating to version 1.449.430.0 or later reinstates the certificates. The issue may be linked to a DigiCert employee encountering disguised malware. Additionally, Windows updates from April 14 caused third-party backup applications to malfunction due to the addition of vulnerable psmounterex.sys kernel driver versions to a blocklist. Users experienced difficulties with mounting backup image files, and Microsoft referenced a vulnerability rated 9.3 out of 10 in the driver. Other affected software includes Acronis Cyber Protect Cloud and UrBackup server. Microsoft has not explained the delay in adding the vulnerable driver to the blocklist, and other recent update-related issues have also been reported.

Winsage

May 4, 2026

Microsoft confirms April Windows updates cause backup failures

Microsoft has acknowledged that the April 2026 security updates have disrupted the functionality of various third-party backup applications using the psmounterex.sys driver, raising concerns among users. The issue primarily affects software leveraging the Volume Shadow Copy Service (VSS) snapshots, leading to failures due to VSS service timeouts. Notable impacted products include Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup, used on Windows 11, Windows Server, and Windows 10 devices. Disruptions can manifest as failures to mount backup image files, errors or timeouts when browsing or restoring from backup images, and error messages related to VSS timeouts. Microsoft updated its support documentation to clarify that the April updates included a security hardening change that added psmounterex.sys to the vulnerable driver blocklist to protect against a high-severity buffer overflow vulnerability (CVE-2023-43896). Affected users are advised to upgrade to newer application versions with updated drivers and not to uninstall or pause the security update. Users can check if the Microsoft Vulnerable Driver Blocklist is blocking a driver by looking for Event ID 3077 in the Code Integrity Operational log. Additionally, Microsoft has alerted users that some Windows Server 2025 devices may boot into BitLocker recovery mode after installing the KB5082063 update and has issued out-of-band updates to address installation failures and restart loops affecting Windows Server systems after the April 2026 updates.

Winsage

March 31, 2026

Microsoft’s April 2026 Windows Update Ends Trust for Cross-Signed Kernel Drivers

Microsoft will eliminate default trust for kernel drivers signed through the outdated cross-signed root program with the April 2026 Windows update. All new kernel drivers must be certified via the Windows Hardware Compatibility Program (WHCP). This change will affect Windows 11 builds 24H2, 25H2, and 26H1, as well as Windows Server 2025, with future versions following the same standards. The update will begin in evaluation mode, monitoring driver loads for compliance before transitioning to enforcement mode. An allow list of reputable drivers will be maintained for legacy hardware, and enterprises can use Application Control for Business policies to authorize specific drivers. Users with older hardware may face compatibility issues if their drivers are not WHCP-certified.

Tech Optimizer

March 16, 2026

What Is a Crypto Miner Virus?

A crypto miner virus, or cryptojacking malware, secretly uses a device’s CPU or GPU to mine cryptocurrency for an attacker, leading to increased electricity costs and potential hardware damage for the victim. It typically infects devices through phishing emails, pirated software, compromised websites, and malicious browser extensions. Monero is the preferred cryptocurrency for mining due to its efficiency on standard CPUs and privacy features. Signs of infection include overheating, high CPU usage, and increased electricity bills. Detection involves monitoring system performance and running antivirus scans. Prevention includes using antivirus software, keeping systems updated, and avoiding pirated software. Notable incidents include attacks on a European water utility and the Los Angeles Times website.

Tech Optimizer

November 6, 2025

DragonForce Cartel Emerges Following Conti v3 Ransomware Source Code Leak

Acronis Threat Research Unit (TRU) analyzed the DragonForce ransomware cartel, which emerged in 2023 as a Ransomware-as-a-Service (RaaS) operation and transitioned to a cartel model. DragonForce utilizes leaked Conti v3 code and has similarities with LockBit Green in encryption and backend configurations. By early 2025, it rebranded as the “DragonForce Ransomware Cartel,” offering affiliates 80 percent profit shares and infrastructure support. The cartel has over 200 victims from various sectors since late 2023 and is known for its attack on Marks & Spencer, collaborating with Scattered Spider. DragonForce employs bring-your-own-vulnerable-driver (BYOVD) techniques to evade endpoint protection and has improved its encryption methods. The group has spawned offshoots like Devman and Mamona, which utilize its enhanced encryptor.

Winsage

October 16, 2025

U.S. CISA adds SKYSEA Client View, Rapid7 Velociraptor, Microsoft Windows, and IGEL OS flaws to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog to include several critical flaws: - CVE-2016-7836: SKYSEA Client View Improper Authentication Vulnerability - CVE-2025-6264: Rapid7 Velociraptor Incorrect Default Permissions Vulnerability - CVE-2025-24990: Microsoft Windows Untrusted Pointer Dereference Vulnerability - CVE-2025-47827: IGEL OS Use of a Key Past its Expiration Date Vulnerability - CVE-2025-59230: Microsoft Windows Improper Access Control Vulnerability Details of the vulnerabilities include: - CVE-2016-7836 allows remote code execution due to inadequate authentication in SKYSEA Client View. - CVE-2025-6264 permits arbitrary command execution in Rapid7 Velociraptor, potentially leading to endpoint takeover. - CVE-2025-24990 and CVE-2025-59230 are zero-day vulnerabilities in Microsoft Windows that facilitate privilege escalation. - CVE-2025-47827 impacts IGEL OS, allowing for a Secure Boot bypass and potential deployment of kernel-level rootkits. Federal agencies must address these vulnerabilities by November 4, 2025, as per Binding Operational Directive (BOD) 22-01. Private organizations are also advised to review the KEV catalog for necessary actions.

Tech Optimizer

September 24, 2025

EDR Bypass Technique Puts Antivirus Tools To Sleep

Endpoint detection and response (EDR) systems and antivirus protections are increasingly targeted by threat actors using sophisticated techniques. A new method called EDR-Freeze has been introduced, which utilizes Windows Error Reporting and the MiniDumpWriteDump function to hibernate antivirus processes without needing to install vulnerable drivers. This technique operates entirely in user mode and was disclosed by an anonymous researcher known as Two One Seven Three on Zero Salarium. The MiniDumpWriteDump function can suspend all threads within a target process during the dump process, which is crucial to avoid memory corruption. The researcher faced challenges with the rapid execution of MiniDumpWriteDump and the security measures protecting EDR and antivirus processes. By reverse-engineering the WerFaultSecure program, the researcher enabled MiniDumpWriteDump for any chosen process and integrated it with the CreateProcessAsPPL tool to bypass Protected Process Light (PPL) protections. The researcher proposed a race condition attack consisting of four steps: executing WerFaultSecure with WinTCB-level protection, configuring it to dump the target process, monitoring the target process until it is suspended, and then suspending the WerFaultSecure process. A tool to execute this exploit is available on GitHub, and another researcher has developed a KQL rule for its detection. The EDR-Freeze technique exploits a vulnerability in the WerFaultSecure program, addressing the weaknesses of the BYOVD method and allowing flexible control over EDR and antivirus programs.

Winsage

September 22, 2025

New EDR-Freeze tool uses Windows WER to suspend security software

A new technique called EDR-Freeze allows evasion of security solutions through Microsoft's Windows Error Reporting (WER) system, enabling attackers to suspend endpoint detection and response (EDR) tools without relying on vulnerable drivers. Security researcher TwoSevenOneThree utilized the WER framework and the MiniDumpWriteDump API to indefinitely suspend EDR and antivirus processes by exploiting the WerFaultSecure component, which operates with Protected Process Light (PPL) privileges. The method involves spawning WerFaultSecure, invoking MiniDumpWriteDump on the target process, monitoring the target until it is suspended, and then freezing the dumper. A tool has been developed to automate this process, successfully tested on Windows 11 24H2, which froze the Windows Defender process. To mitigate this attack, monitoring WER for identifiers linked to sensitive processes is recommended, and security researcher Steven Lim has created a tool to map WerFaultSecure to Microsoft Defender Endpoint processes. Microsoft has the opportunity to enhance these components against misuse by implementing restrictions on suspicious invocations.

Tech Optimizer

September 22, 2025

Hackers Deploy New EDR-Freeze Tool to Disable Security Software

A security researcher has developed a tool called EDR-Freeze that allows for the temporary disabling of endpoint detection and response (EDR) systems and antivirus software without using vulnerable drivers. EDR-Freeze exploits the Windows Error Reporting functionality to execute a race condition attack that suspends security processes, specifically targeting the WerFaultSecure.exe process. The tool can successfully suspend the MsMpEng.exe process of Windows Defender on Windows 11 24H2. It operates entirely within user-mode and uses legitimate Windows components, making detection more difficult for security teams. The source code for EDR-Freeze is publicly available on GitHub, intended for legitimate security research, but poses risks of misuse by malicious actors. Security teams are advised to monitor for suspicious activity related to WerFaultSecure.exe and to enhance their process protection mechanisms.