InfoSecBulletin Cybersecurity for mankind
Threat actors are exploiting a component of CheckPoint’s ZoneAlarm antivirus to bypass Windows security measures. Nima Bagheri, a security researcher in Austin and founder of Venak Security, announced a new Bring Your Own Vulnerable Driver (BYOVD) attack in a report on March 20.
Threat actors exploited vulnerabilities in vsdatant.sys, a system file from ZoneAlarm software by CheckPoint Software Technologies.
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
Critical (CVSS 10) Flaw in Cisco IOS XE WLCs Allows RRA
CVE-2025-29824
Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day
Hacker exploited Samsung MagicINFO 9 Server RCE flaw
CISA adds Langflow flaw to its KEV catalog
Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
UAP hosted “UAP Cyber Siege 2025”, A national level cybersecurity competition
Conditions for BYOVD Attack:
Like many endpoint security solutions, vsdatant.sys has high-level access, allowing it to reach and change important system parts, intercept system actions, and possibly avoid security measures, giving it a high level of control over an operating system.
The driver is legitimate and has a valid signature, so antivirus and EDR solutions usually consider its activity safe.
These two conditions are the building blocks of a successful BYOVD attack.
Bypassing Windows Memory Integrity Security Protection:
Bagheri’s report indicated that vsdatant.sys version 14.1.32.0, released in 2016, has multiple vulnerabilities, though he did not specify what they are.
Threat actors exploited vulnerabilities to bypass Windows Memory Integrity, a feature that protects critical system processes by isolating them in a virtual environment, making it difficult for attackers to inject malicious code.
“Once these defenses were bypassed, attackers had full access to the underlying system, the attackers were able to access sensitive information such as user passwords and other stored credentials. This data was then exfiltrated, opening the door for further exploitation,” Bagheri continued.
The attackers set up a Remote Desktop Protocol (RDP) connection to the infected systems, allowing them ongoing access to the compromised machines.
Bagheri stated that the latest version of vsdatant.sys is secure, advising CheckPoint ZoneAlarm customers to update to it if they can.
The security researcher contacted CheckPoint before publishing the report.
Source: venaksecurity
