vuln disclosure
CVE-2025-61156: ThreatFire System Monitor Kernel Driver Allows Unprivileged Process Termination and EDR BypassCVE-2025-61156
A vulnerability in the ThreatFire System Monitor kernel driver (TfSysMon.sys) allows unprivileged users to terminate protected processes, including EDR and anti-malware, with kernel privileges. The driver lacks proper access control, enabling BYOVD attacks and local denial of service. The vulnerable driver is not in Microsoft's blocklist and its signature remains valid.