CVE-2025-51060

An issue was discovered in CPUID cpuz.sys 1.0.5.4. An attacker can use DeviceIoControl with the unvalidated parameters 0x9C402440 and 0x9C402444 as IoControlCodes to perform RDMSR and WRMSR, respectively. Through this process, the attacker can modify MSR_LSTAR and hook KiSystemCall64. Afterward, using Return-Oriented Programming (ROP), the attacker can manipulate the stack with pre-prepared gadgets, disable the SMAP flag in the CR4 register, and execute a user-mode syscall handler in the kernel context. It has not been confirmed whether this works on 32-bit Windows, but it functions on 64-bit Windows if the core isolation feature is either absent or disabled.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://cpuid.com	Product
http://cpuzsys.com	Broken Link
https://github.com/ZiaLib/Zmsr	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:cpuid:cpuz.sys:1.0.5.4:*:*:*:*:windows:*:*

History

No history.

Information

Published : 2025-08-05 18:15

Updated : 2025-10-09 17:33

NVD link : CVE-2025-51060

Mitre link : CVE-2025-51060

CVE.ORG link : CVE-2025-51060

JSON object : View

Products Affected

cpuid

cpuz.sys

CWE

CWE-284

Improper Access Control

{"id": "CVE-2025-51060", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2025-08-05T18:15:32.220", "references": [{"url": "http://cpuid.com", "tags": ["Product"], "source": "[email protected]"}, {"url": "http://cpuzsys.com", "tags": ["Broken Link"], "source": "[email protected]"}, {"url": "https://github.com/ZiaLib/Zmsr", "tags": ["Exploit"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in CPUID cpuz.sys 1.0.5.4. An attacker can use DeviceIoControl with the unvalidated parameters 0x9C402440 and 0x9C402444 as IoControlCodes to perform RDMSR and WRMSR, respectively. Through this process, the attacker can modify MSR_LSTAR and hook KiSystemCall64. Afterward, using Return-Oriented Programming (ROP), the attacker can manipulate the stack with pre-prepared gadgets, disable the SMAP flag in the CR4 register, and execute a user-mode syscall handler in the kernel context. It has not been confirmed whether this works on 32-bit Windows, but it functions on 64-bit Windows if the core isolation feature is either absent or disabled."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en CPUID cpuz.sys 1.0.5.4. Un atacante puede usar DeviceIoControl con los par\u00e1metros no validados 0x9C402440 y 0x9C402444 como IoControlCodes para ejecutar RDMSR y WRMSR, respectivamente. Mediante este proceso, el atacante puede modificar MSR_LSTAR y enlazar KiSystemCall64. Posteriormente, mediante Programaci\u00f3n Orientada al Retorno (ROP), el atacante puede manipular la pila con gadgets preconfigurados, deshabilitar el indicador SMAP en el registro CR4 y ejecutar un controlador de llamadas al sistema en modo usuario en el contexto del kernel. No se ha confirmado si esto funciona en Windows de 32 bits, pero s\u00ed en Windows de 64 bits si la funci\u00f3n de aislamiento del n\u00facleo est\u00e1 ausente o deshabilitada."}], "lastModified": "2025-10-09T17:33:57.897", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cpuid:cpuz.sys:1.0.5.4:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "A08FA505-34F3-46D4-9827-4F0D335E6BC0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}