InfoSecBulletin Cybersecurity for mankind
Threat actors are exploiting a component of CheckPoint’s ZoneAlarm antivirus to bypass Windows security measures. Nima Bagheri, a security researcher in Austin and founder of Venak Security, announced a new Bring Your Own Vulnerable Driver (BYOVD) attack in a report on March 20.
Threat actors exploited vulnerabilities in vsdatant.sys, a system file from ZoneAlarm software by CheckPoint Software Technologies.
Cybercriminals Exploit Checkpoint’s Driver in a BYOVD Attack
IBM and Veeam Release Patches in AIX System and Backup
WhatsApp patched zero-click flaw exploited in spyware attacks
CVE-2025-24472
CISA Warns of Fortinet FortiOS Auth Bypass Vuln Exploited in Wild
11 state hackers exploit new Windows zero-day since 2017
Hackers Exploit ChatGPT with CVE-2024-27564
(CVE-2024-540385)
CVSS 10 Alert! HPE Cray Vulnerability Authentication Bypass Threat
CVE-2025-24813
Apache Tomcat Flaw Exploited In The Wild
B1nary_Band1ts secure first for “MIST CyberTron 2025”
CVE-2025-24016
Critical RCE vulnerability affects Wazuh
Conditions for BYOVD Attack:
Like many endpoint security solutions, vsdatant.sys has high-level access, allowing it to reach and change important system parts, intercept system actions, and possibly avoid security measures, giving it a high level of control over an operating system.
The driver is legitimate and has a valid signature, so antivirus and EDR solutions usually consider its activity safe.
These two conditions are the building blocks of a successful BYOVD attack.
Bypassing Windows Memory Integrity Security Protection:
Bagheri’s report indicated that vsdatant.sys version 14.1.32.0, released in 2016, has multiple vulnerabilities, though he did not specify what they are.
Threat actors exploited vulnerabilities to bypass Windows Memory Integrity, a feature that protects critical system processes by isolating them in a virtual environment, making it difficult for attackers to inject malicious code.
“Once these defenses were bypassed, attackers had full access to the underlying system, the attackers were able to access sensitive information such as user passwords and other stored credentials. This data was then exfiltrated, opening the door for further exploitation,” Bagheri continued.
The attackers set up a Remote Desktop Protocol (RDP) connection to the infected systems, allowing them ongoing access to the compromised machines.
Bagheri stated that the latest version of vsdatant.sys is secure, advising CheckPoint ZoneAlarm customers to update to it if they can.
The security researcher contacted CheckPoint before publishing the report.
Source: venaksecurity
