Security researchers have published a detailed breakdown of CVE-2025-8061, a critical vulnerability found in a signed Lenovo driver, LnvMSRIO.sys. The disclosure outlines how attackers can leverage this flaw to move from user-mode access to full Ring 0 kernel control.
The findings were released by the team at sibouzitoun.tech, who describe the vulnerability as a prime example of the 'Bring Your Own Vulnerable Driver' (BYOVD) attack surface. By weaponizing a legitimate, signed driver, attackers can bypass standard Windows security checks that typically prevent the loading of unsigned malicious code.
From proof of concept to kernel implant
The researchers documented the exploit’s evolution across a four-part series. The process begins with reverse-engineering the driver to extract arbitrary read and write primitives. These tools allow an attacker to defeat kernel Address Space Layout Randomization (kASLR) and steal the SYSTEM token, effectively granting them administrative control over the machine.
In the second phase of the research, the team focused on making the exploit viable for real-world scenarios. They eliminated hardcoded offsets and replaced them with dynamic ROP gadget scanning. They also developed methods to evade Supervisor Mode Access Prevention (SMAP) using custom assembly code.
The final stages of the research demonstrate how to maintain persistence and evade detection. By using Direct Kernel Object Manipulation (DKOM), an attacker can hide their process from the operating system entirely. The researchers also detail how to blind Code Integrity (DSE) and race PatchGuard, a Windows security feature designed to prevent kernel-level tampering.
The researchers argue that documenting these techniques is essential for defensive engineering. 'Understanding how attackers chain these primitives is the first step in building resilient defenses,' the team noted in their report.
The project repository, which includes the full C++ source code and the vulnerable driver, is intended for security professionals to study the mechanics of the exploit. The authors noted that their work was inspired by previous research from Quarkslab on the BYOVD attack vector.
By moving away from traditional driver loading processes and hooking system calls, the researchers demonstrated that standard kernel defenses can be bypassed. The provided code allows security teams to test their own systems against these advanced privilege escalation techniques.
