CVE-2025-52347: PassMark Drivers Expose Kernel to Privilege Escalation
The National Vulnerability Database has detailed CVE-2025-52347, a high-severity vulnerability (CVSS 7.8) affecting the DirectIo64.sys component used in several PassMark products. Specifically, PassMark BurnInTest v11.0 Build 1011, OSForensics v11.1 Build 1007, and PerformanceTest v11.1 Build 1004 are impacted. This flaw allows attackers to access kernel memory and escalate privileges through a crafted IOCTL 0x8011E044 call.
This isn’t a remote exploit, but it’s critical. An attacker who has already gained initial access to a system could leverage this vulnerability to move from userland to kernel space. This grants them full control, making it trivial to bypass security controls, install rootkits, or exfiltrate sensitive data with impunity. It’s the ultimate privilege escalation for an attacker already inside your perimeter.
The National Vulnerability Database attributes the issue to CWE-20 (Improper Input Validation) and CWE-269 (Improper Privilege Management). Defenders need to recognize that tools designed for system diagnostics and forensics often operate with high privileges, making their drivers prime targets for this type of abuse. Patching these utilities is non-negotiable.
What This Means For You
- If your organization uses PassMark BurnInTest, OSForensics, or PerformanceTest, check for updates immediately. An attacker with local access can turn a foothold into full system compromise. Patching these utilities closes a critical privilege escalation path that could otherwise be exploited post-initial access.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2025-52347: DirectIo64.sys IOCTL for Privilege Escalation
title: CVE-2025-52347: DirectIo64.sys IOCTL for Privilege Escalation
id: scw-2026-05-01-ai-1
status: experimental
level: critical
description: |
Detects the loading of the vulnerable DirectIo64.sys driver in conjunction with the specific IOCTL (0x8011E044) used in CVE-2025-52347 to escalate privileges by accessing kernel memory.
author: SCW Feed Engine (AI-generated)
date: 2026-05-01
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2025-52347/
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
category: driver_load
detection:
selection:
ImageLoaded|contains:
- 'DirectIo64.sys'
TargetObject|contains:
- '0x8011E044'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2025-52347 | Privilege Escalation | PassMark BurnInTest v11.0 Build 1011 |
| CVE-2025-52347 | Privilege Escalation | OSForensics v11.1 Build 1007 |
| CVE-2025-52347 | Privilege Escalation | PerformanceTest v11.1 Build 1004 |
| CVE-2025-52347 | Privilege Escalation | Vulnerable component: DirectIo64.sys |
| CVE-2025-52347 | Privilege Escalation | Vulnerable IOCTL call: 0x8011E044 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 01, 2026 at 22:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7628 — CrazyrabbitLTC Mcp-Code-Review-Server Command Injection
CVE-2026-7628 — A vulnerability was detected in crazyrabbitLTC mcp-code-review-server up to 0.1.0. This issue affects the function executeRepomix of the file src/repomix.ts of the component...
CVE-2026-6817 — Cross-Site Scripting (XSS)
CVE-2026-6817 — The Quiz Maker by AYS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rate_reason' parameter in all versions up to,...
CVE-2026-6525 — IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to
CVE-2026-6525 — IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.4