CVE-2025-70795 & CVE-2026-0828: Unpublished Driver Vulnerabilities Already Exploited In-The-Wild

Two critical vulnerabilities, CVE-2025-70795 and CVE-2026-0828, are being actively exploited by malware before their official public disclosure. Analysis indicates that the exploit development and verification for at least one of these CVEs is already complete, with proof-of-concept code and samples of in-the-wild exploitation circulating among security researchers. The primary vulnerability, CVE-2025-70795, is linked to a driver used in a Bring Your Own Vulnerable Driver (BYOVD) attack, a technique that allows malware to leverage legitimate but flawed drivers to gain high-level system privileges.

The exploitation centers on a driver named 'STProcessMonitor'. Public repositories on GitHub host PoC code designed to kill processes using this driver, directly linking the theoretical vulnerability to practical attack tools. Furthermore, the driver has been submitted to the LOLDrivers project, a crowdsourced list of known vulnerable drivers. The malware families ValleyRAT and SilverFox have been identified using this vulnerable driver in active campaigns, with technical analyses published across multiple Chinese-language security forums, indicating widespread awareness and hunting within certain communities.

This situation creates significant operational risk. The vulnerabilities remain unapproved for public disclosure by the CVE program, creating an information gap for defenders while attackers are already weaponizing the flaws. The availability of public PoC code lowers the barrier to entry for other threat actors, increasing the likelihood of broader exploitation. Security teams are now under pressure to identify and mitigate the use of the 'STProcessMonitor' driver without official patches or detailed advisories, relying on community-sourced intelligence and heuristic detection.