BYOVD (Vulnerable Driver) × Microsoft Intune

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft Intune, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Intune

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

in the wild

Disclosed

2026-03-13

Config / version noted

Not stated

Provenance

www.healthcaredive.com
disclosed 2026-03-13 · original source · via raw

Reported as

abused Microsoft Intune to push remote wipe commands to endpoints, bypassing traditional endpoint security

Mechanism

Attackers abused Microsoft Intune, a device management component, to push base64-encoded payloads containing remote wipe commands to phones and workstations, effectively wiping affected devices and bypassing traditional endpoint security protections.

Detection & mitigation

Monitor Intune audit logs for anomalous device wipe or configuration push activities, especially base64-encoded payloads. Implement conditional access policies and restrict Intune administrative privileges to prevent unauthorized device management actions.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.