Hackers Can Weaponize Lenovo Driver to Terminate EDR Processes
Cybersecurity NewsArchived May 22, 2026✓ Full text saved
Hackers can weaponize a legitimately signed Lenovo driver to terminate security processes, highlighting a dangerous Bring Your Own Vulnerable Driver (BYOVD) attack vector that can bypass endpoint protection controls. Security researcher Jehad Abudagga has analyzed a Lenovo driver, BootRepair.sys, originally associated with the Lenovo PC Manager utility, and discovered that it can be abused to kill […] The post Hackers Can Weaponize Lenovo Driver to Terminate EDR Processes appeared first on Cyber
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Hackers Can Weaponize Lenovo Driver to Terminate EDR Processes
By Abinaya
May 22, 2026
Hackers can weaponize a legitimately signed Lenovo driver to terminate security processes, highlighting a dangerous Bring Your Own Vulnerable Driver (BYOVD) attack vector that can bypass endpoint protection controls.
Security researcher Jehad Abudagga has analyzed a Lenovo driver, BootRepair.sys, originally associated with the Lenovo PC Manager utility, and discovered that it can be abused to kill arbitrary processes at the kernel level.
The driver (SHA-256: 5ab36c116767eaae53a466fbc2dae7cfd608ed77721f65e83312037fbd57c946) is digitally signed by Lenovo and, at the time of analysis, showed no detections on VirusTotal, making it an attractive candidate for stealthy abuse.
Driver on Virus total(source : Jehad Abudagga)
Lenovo Driver Kills EDR
Reverse engineering of the driver reveals multiple security weaknesses that enable unprivileged access and process termination capabilities:
The driver creates a device object named \\Device\\::BootRepair without applying a secure DACL, allowing low-privileged users to interact with it.
A symbolic link \\DosDevices\\BootRepair exposes the device to user-mode applications.
No access control checks are enforced when handling IRP_MJ_CREATE requests, meaning any user can obtain a handle to the driver.
Further analysis of the IOCTL handler shows that the driver exposes a single control code, 0x222014, which accepts a 4-byte input buffer. This buffer contains a process ID (PID) that is passed to an internal routine that terminates processes.
The underlying function leverages the Windows kernel API ZwTerminateProcess to kill the specified PID, effectively granting any user the ability to terminate arbitrary processes, including protected or security-critical services.
TerminateProcessByPID Function(source : Jehad Abudagga)
The vulnerabilities enable two primary attack scenarios:
If the driver is already present on a system, a low-privileged attacker can directly interact with it to terminate antivirus or EDR processes.
If not present, attackers can deploy the signed driver as part of a BYOVD attack, loading it into the kernel to turn off defenses before executing post-exploitation tools.
In a proof-of-concept demonstration, the researcher showed that even protected processes, such as CrowdStrike’s Falcon sensor, can be terminated after the driver is loaded.
Crowdstrike process is killed(source : medium)
Once disabled, offensive tools like credential dumpers can be executed without interference.
Researcher Jehad Abudagga said in a report shared with Cyber Security News that the PoC interacts with the driver using standard Windows APIs:
Opens a handle to \\.\BootRepair.
Sends a target PID via IOCTL 0x222014.
The driver terminates the process in kernel mode.
This simple interaction demonstrates how minimal effort is required to weaponize the flaw once the driver is accessible.
Running mimikatz after killing CrowdStrike process (Source: Jehad Abudagga)
Security Implications
This issue underscores the growing threat of BYOVD attacks, in which adversaries exploit trusted, signed drivers to undermine endpoint protections.
Because the driver is legitimately signed and initially undetected, it can evade traditional security controls that rely on signature trust.
Organizations should consider:
Blocking known vulnerable drivers using Microsoft’s recommended driver blocklist.
Monitoring for suspicious driver loads and kernel-level behavior.
Restricting the ability to load unsigned or unapproved drivers.
Leveraging EDR protections that detect abuse of legitimate drivers.
As attackers continue to abuse trusted components, proactive driver control and behavioral detection remain critical to defending modern endpoints.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Critical Drupal Core Security Vulnerability Exposes Websites to Cyberattack
GitHub Internal Repositories Breached Via Weaponized VS Code Extension
Authorities Have Taken Down “First VPN” Used in Ransomware Attacks
Operation Ramz Seizes 53 Servers Linked to Cyber Scams and Malware Threats
Microsoft Confirms Windows 11 Update Fails With Error 0x800f0922
Latest News
Cyber Security News
Discord Announces End-to-End Encryption by Default for Video and Voice Messages
Cyber Attack News
Megalodon Malware Compromised 5,500+ GitHub Repos Within 6 Hours
Cyber Security News
Hackers Use Fake Microsoft Teams Downloads to Deploy ValleyRAT Malware
Cyber Security News
TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs
Cyber Security News
Fake Invitation Phishing Campaign Targets U.S. Organizations With Credential Theft