CVE-2025-14963 (GCVE-0-2025-14963)
Vulnerability from cvelistv5
Published
2026-02-24 17:11
Modified
2026-02-26 14:44
Severity ?
6.2 (Medium) - CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
CWE
  • CWE-20 - Improper Input Validation
Summary
A vulnerability identified in the HX Agent driver file fekern.sys allowed a threat actor with local user access the ability to gain elevated system privileges. Utilization of a Bring Your Own Vulnerable Driver (BYOVD) was leveraged to gain access to the critical Windows process memory lsass.exe (Local Security Authority Subsystem Service). The fekern.sys is a driver file associated with the HX Agent (used in all existing HX Agent versions). The vulnerable driver installed in a product or a system running a fully functional HX Agent is, itself, not exploitable as the product’s tamper protection restricts the ability to communicate with the driver to only the Agent’s processes.
References
Impacted products
Vendor Product Version
Trellix Endpoint HX Agent (xAgent) Version: 36.30.0-17, 35.31.0-37, 34.x, 33.x and 30.x
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14963",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-25T04:56:08.220547Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T14:44:08.034Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Endpoint HX Agent (xAgent)",
          "vendor": "Trellix",
          "versions": [
            {
              "status": "affected",
              "version": "36.30.0-17, 35.31.0-37, 34.x, 33.x and 30.x"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA vulnerability identified in the HX Agent driver file \u003c/span\u003efekern.sys\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;allowed a threat actor with local user access the ability to gain elevated system privileges. Utilization of a Bring Your Own Vulnerable Driver (BYOVD) was leveraged to gain access to the critical Windows process memory \u003c/span\u003elsass.exe\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;(Local Security Authority Subsystem Service). The\u003c/span\u003e\u003cem\u003e\u0026nbsp;\u003c/em\u003efekern.sys\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;is a driver file associated with the HX Agent (used in all existing HX Agent versions). The vulnerable driver installed in a product or a system running a fully functional HX Agent is, itself, not exploitable\u003c/span\u003e\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eas the product\u2019s tamper protection restricts the ability to communicate with the driver to only the Agent\u2019s processes.\u003c/span\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "A vulnerability identified in the HX Agent driver file fekern.sys\u00a0allowed a threat actor with local user access the ability to gain elevated system privileges. Utilization of a Bring Your Own Vulnerable Driver (BYOVD) was leveraged to gain access to the critical Windows process memory lsass.exe\u00a0(Local Security Authority Subsystem Service). The\u00a0fekern.sys\u00a0is a driver file associated with the HX Agent (used in all existing HX Agent versions). The vulnerable driver installed in a product or a system running a fully functional HX Agent is, itself, not exploitable\u00a0as the product\u2019s tamper protection restricts the ability to communicate with the driver to only the Agent\u2019s processes."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-30",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-30: Hijacking a Privileged Thread of Execution"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-26T07:36:15.415Z",
        "orgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
        "shortName": "trellix"
      },
      "references": [
        {
          "url": "https://thrive.trellix.com/s/article/000015100"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "01626437-bf8f-4d1c-912a-893b5eb04808",
    "assignerShortName": "trellix",
    "cveId": "CVE-2025-14963",
    "datePublished": "2026-02-24T17:11:06.812Z",
    "dateReserved": "2025-12-19T10:32:38.416Z",
    "dateUpdated": "2026-02-26T14:44:08.034Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-14963\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-25T04:56:08.220547Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-25T15:55:01.656Z\"}}], \"cna\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-30\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-30: Hijacking a Privileged Thread of Execution\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 6.2, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P\", \"exploitMaturity\": \"PROOF_OF_CONCEPT\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Trellix\", \"product\": \"Endpoint HX Agent (xAgent)\", \"versions\": [{\"status\": \"affected\", \"version\": \"36.30.0-17, 35.31.0-37, 34.x, 33.x and 30.x\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://thrive.trellix.com/s/article/000015100\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability identified in the HX Agent driver file fekern.sys\\u00a0allowed a threat actor with local user access the ability to gain elevated system privileges. Utilization of a Bring Your Own Vulnerable Driver (BYOVD) was leveraged to gain access to the critical Windows process memory lsass.exe\\u00a0(Local Security Authority Subsystem Service). The\\u00a0fekern.sys\\u00a0is a driver file associated with the HX Agent (used in all existing HX Agent versions). The vulnerable driver installed in a product or a system running a fully functional HX Agent is, itself, not exploitable\\u00a0as the product\\u2019s tamper protection restricts the ability to communicate with the driver to only the Agent\\u2019s processes.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eA vulnerability identified in the HX Agent driver file \u003c/span\u003efekern.sys\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;allowed a threat actor with local user access the ability to gain elevated system privileges. Utilization of a Bring Your Own Vulnerable Driver (BYOVD) was leveraged to gain access to the critical Windows process memory \u003c/span\u003elsass.exe\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;(Local Security Authority Subsystem Service). The\u003c/span\u003e\u003cem\u003e\u0026nbsp;\u003c/em\u003efekern.sys\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;is a driver file associated with the HX Agent (used in all existing HX Agent versions). The vulnerable driver installed in a product or a system running a fully functional HX Agent is, itself, not exploitable\u003c/span\u003e\u0026nbsp;\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eas the product\\u2019s tamper protection restricts the ability to communicate with the driver to only the Agent\\u2019s processes.\u003c/span\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"01626437-bf8f-4d1c-912a-893b5eb04808\", \"shortName\": \"trellix\", \"dateUpdated\": \"2026-02-26T07:36:15.415Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-14963\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-26T14:44:08.034Z\", \"dateReserved\": \"2025-12-19T10:32:38.416Z\", \"assignerOrgId\": \"01626437-bf8f-4d1c-912a-893b5eb04808\", \"datePublished\": \"2026-02-24T17:11:06.812Z\", \"assignerShortName\": \"trellix\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.