{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/818729#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nKernel driver `ProcessMonitorDriver.sys` in Safetica's endpoint client x64, versions 10.5.75.0 and 11.11.4.0, allows for an unprivileged user to abuse an IOCTL path and terminate protected system processes.\r\n### Description\r\nSafetica is a Data Loss Prevention (DLP) and Insider Risk Management (IRM) software solution that helps organizations protect their data via detecting, analyzing, and mitigating threats. Safetica's platform is AI-powered and is used by public and private organizations, globally. \r\n\r\nA vulnerabilty has been discovered in Safetica’s `ProcessMonitorDriver.sys` kernel driver. A local, unprivileged user can abuse a vulnerable IOCTL (Input/Output Control) path in the kernel driver to cause privileged termination of arbitrary system processes. IOCTL interfaces allow user-mode software to send commands into the kernel space so that the driver can perform specific privileged actions such as terminating processes. Terminating Safetica's processes in endpoint detection and response and antivirus software can blind their clients' security monitoring on their machines. Improper input sanitization and user validation mechanisms can manipulate the kernel driver into privilege escalation and DOS (denial of service). \r\n### Impact\r\nA threat actor can leverage this vulnerability and could use the IOCTL path to terminate processes repeatedly. This could lead to a DOS attack and render Safetica's systems unavailable. \r\n\r\n### Solution\r\nAt the time of publication, no vendor-supported fix is available for the vulnerability affecting Safetica DLP kernel driver `ProcessMonitorDriver.sys`, which allows unprivileged users to abuse exposed IOCTL handlers to terminate arbitrary processes. Until an official patch or guidance is provided by the vendor, the following mitigations are recommended: \r\n\r\n1. Monitor and Detect Abuse of IOCTL Calls Targeting the Driver:  Safetica's client organizations should actively monitor for suspicious or abnormal IOCTL handler requests. To detect this activity, clients should deploy kernel driver monitoring solutions like Endpoint Detection and Response or System Monitor-like telemetry (where supported). This will 1) identify unprivileged processes, 2) detect unusual IOCTL patterns, and 3) alert security teams when user-mode processes interact with the kernel driver. \r\n\r\n2. Restrict or Block Access to the Vulnerable Driver via Policy Controls: To restrict access to `ProcessMonitorDriver.sys`, Safetica's client organizations should use Windows Group Policy or Application Control policies (WDAC [https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-policy/group-policy-overview] /AppLocker [https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker]). This will prevent untrusted or non-administrative processes from loading or interacting with the driver, through policy-based enforcement mechanisms. These enforcement mechanisms can block untrusted or unsigned binaries from communicating with the kernel driver. \r\n\r\n### Acknowledgements\r\nThanks to the reporter,  KOSEC LLC. This document was written by Ayushi Kriplani.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/818729"}],"title":"Safetica contains a kernel driver vulnerability","tracking":{"current_release_date":"2026-01-20T13:35:14+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#818729","initial_release_date":"2026-01-20 13:35:14.774901+00:00","revision_history":[{"date":"2026-01-20T13:35:14+00:00","number":"1.20260120133514.1","summary":"Released on 2026-01-20T13:35:14+00:00"}],"status":"final","version":"1.20260120133514.1"}},"vulnerabilities":[{"title":"Kernel driver ProcessMonitorDriver.","notes":[{"category":"summary","text":"Kernel driver ProcessMonitorDriver.sys in Safetica's endpoint client x64 , versions 10.5.75.0 and 11.11.4.0, allows unprivileged user to abuse IOCTL path and terminate protected system processes."}],"cve":"CVE-2026-0828","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#818729"}]}],"product_tree":{"branches":[]}}