BYOVD (Vulnerable Driver) × Fortinet FortiEDR

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Fortinet FortiEDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Fortinet FortiEDR

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2026-02-04

Config / version noted

Not stated

Provenance

cybersecuritynews.com
disclosed 2026-02-04 · original source · via raw

Reported as

Hotta Killer ... passes target security process IDs (e.g., Forti*.exe) to the kernel to force termination, bypassing EDR/AV protections.

Mechanism

Hotta Killer drops a renamed vulnerable driver (UpdateCheckerX64.sys) exploiting CVE-2025-61155 in GameDriverx64.sys. It injects a DLL (polers.dll) into system processes, creates a symbolic link to the driver, and passes target security process IDs (e.g., Forti*.exe) to the kernel to force termination, bypassing EDR/AV protections.

Detection & mitigation

Monitor for unexpected driver loads (especially renamed gaming drivers) and creation of symbolic links to driver objects. Detect process termination of security tools via kernel-mode callbacks. Block known vulnerable drivers using Microsoft's vulnerable driver blocklist or WDAC.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic F-Secure

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.