BYOVD (Vulnerable Driver) × Palo Alto Networks Cortex XDR

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Palo Alto Networks Cortex XDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Palo Alto Networks Cortex XDR

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

in the wild

Disclosed

2026-02-10

Config / version noted

Not stated

Provenance

www.gblock.app
disclosed 2026-02-17 · original source · via raw
realhacker.news
disclosed 2026-02-10 · original source · via raw

Reported as

terminate security processes (e.g., CrowdStrike Falcon, Cortex XDR) with sufficient privileges

Mechanism

Reynolds embeds the signed but vulnerable NSecKrnl driver inside its ransomware binary. Upon execution, the driver exploits CVE-2025-68947 to terminate security processes (e.g., CrowdStrike Falcon, Cortex XDR) with sufficient privileges, then encrypts files without dropping a separate driver file, evading disk-based detection.

Detection & mitigation

Monitor for unexpected termination of EDR processes (e.g., via Sysmon Event ID 5 or EDR self-protection alerts) and block known vulnerable drivers like NSecKrnl using Microsoft's driver blocklist or AppLocker. Deploy application control policies to restrict which drivers can load, and ensure EDR tamper protection is enabled.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.