CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 22, 2026

Hackers Can Weaponize Lenovo Driver to Terminate EDR Processes

Cybersecurity News Archived May 22, 2026 ✓ Full text saved

Hackers can weaponize a legitimately signed Lenovo driver to terminate security processes, highlighting a dangerous Bring Your Own Vulnerable Driver (BYOVD) attack vector that can bypass endpoint protection controls. Security researcher Jehad Abudagga has analyzed a Lenovo driver, BootRepair.sys, originally associated with the Lenovo PC Manager utility, and discovered that it can be abused to kill […] The post Hackers Can Weaponize Lenovo Driver to Terminate EDR Processes appeared first on Cyber

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Can Weaponize Lenovo Driver to Terminate EDR Processes By Abinaya May 22, 2026 Hackers can weaponize a legitimately signed Lenovo driver to terminate security processes, highlighting a dangerous Bring Your Own Vulnerable Driver (BYOVD) attack vector that can bypass endpoint protection controls. Security researcher Jehad Abudagga has analyzed a Lenovo driver, BootRepair.sys, originally associated with the Lenovo PC Manager utility, and discovered that it can be abused to kill arbitrary processes at the kernel level. The driver (SHA-256: 5ab36c116767eaae53a466fbc2dae7cfd608ed77721f65e83312037fbd57c946) is digitally signed by Lenovo and, at the time of analysis, showed no detections on VirusTotal, making it an attractive candidate for stealthy abuse. Driver on Virus total(source : Jehad Abudagga) Lenovo Driver Kills EDR Reverse engineering of the driver reveals multiple security weaknesses that enable unprivileged access and process termination capabilities: The driver creates a device object named \\Device\\::BootRepair without applying a secure DACL, allowing low-privileged users to interact with it. A symbolic link \\DosDevices\\BootRepair exposes the device to user-mode applications. No access control checks are enforced when handling IRP_MJ_CREATE requests, meaning any user can obtain a handle to the driver. Further analysis of the IOCTL handler shows that the driver exposes a single control code, 0x222014, which accepts a 4-byte input buffer. This buffer contains a process ID (PID) that is passed to an internal routine that terminates processes. The underlying function leverages the Windows kernel API ZwTerminateProcess to kill the specified PID, effectively granting any user the ability to terminate arbitrary processes, including protected or security-critical services. TerminateProcessByPID Function(source : Jehad Abudagga) The vulnerabilities enable two primary attack scenarios: If the driver is already present on a system, a low-privileged attacker can directly interact with it to terminate antivirus or EDR processes. If not present, attackers can deploy the signed driver as part of a BYOVD attack, loading it into the kernel to turn off defenses before executing post-exploitation tools. In a proof-of-concept demonstration, the researcher showed that even protected processes, such as CrowdStrike’s Falcon sensor, can be terminated after the driver is loaded. Crowdstrike process is killed(source : medium) Once disabled, offensive tools like credential dumpers can be executed without interference. Researcher Jehad Abudagga said in a report shared with Cyber Security News that the PoC interacts with the driver using standard Windows APIs: Opens a handle to \\.\BootRepair. Sends a target PID via IOCTL 0x222014. The driver terminates the process in kernel mode. This simple interaction demonstrates how minimal effort is required to weaponize the flaw once the driver is accessible. Running mimikatz after killing CrowdStrike process (Source: Jehad Abudagga) Security Implications This issue underscores the growing threat of BYOVD attacks, in which adversaries exploit trusted, signed drivers to undermine endpoint protections. Because the driver is legitimately signed and initially undetected, it can evade traditional security controls that rely on signature trust. Organizations should consider: Blocking known vulnerable drivers using Microsoft’s recommended driver blocklist. Monitoring for suspicious driver loads and kernel-level behavior. Restricting the ability to load unsigned or unapproved drivers. Leveraging EDR protections that detect abuse of legitimate drivers. As attackers continue to abuse trusted components, proactive driver control and behavioral detection remain critical to defending modern endpoints. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Critical Drupal Core Security Vulnerability Exposes Websites to Cyberattack GitHub Internal Repositories Breached Via Weaponized VS Code Extension Authorities Have Taken Down “First VPN” Used in Ransomware Attacks Operation Ramz Seizes 53 Servers Linked to Cyber Scams and Malware Threats Microsoft Confirms Windows 11 Update Fails With Error 0x800f0922 Latest News Cyber Security News Discord Announces End-to-End Encryption by Default for Video and Voice Messages Cyber Attack News Megalodon Malware Compromised 5,500+ GitHub Repos Within 6 Hours Cyber Security News Hackers Use Fake Microsoft Teams Downloads to Deploy ValleyRAT Malware Cyber Security News TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs Cyber Security News Fake Invitation Phishing Campaign Targets U.S. Organizations With Credential Theft
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 22, 2026
    Archived
    May 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗