CVE-2025-63602: Hijacking System Calls with a Popular Crypto Miner Category: Exploit Development Published: Nov 12, 2025 Read time: ~5 min Difficulty: Advanced Context & Scope An insecure utility kernel driver component in Awesome Miner 11.2.4 (Intel) allows unprivileged users to totally compromise systems via arbitrary MSR read/write. Tested platform: Windows 11, 25H2, 26200.7171. Miner version: 11.2.4. Target: Kernel-mode helper driver. Privilege/Context required: Low-privileged local user account if loaded outside of process; administrator if loaded by process. Root Cause The vulnerability is caused by a kernel driver IOCTL handler that forwards attacker-controlled parameters directly into MSR read/write primitives without validating which MSRs may be touched and without constraining the caller's privilege level (outside of Awesome Miner). Exploit Chain Usermode-exposed symbolic link: - If started by Awesome Miner: - Attacker requires an administrative user session on a host with the miner installed. - Attacker opens a handle to the vulnerable device object exposed by the helper driver. - Attacker issues crafted IOCTLs to write specific MSRs that control page tables or interrupt handlers. - By carefully choosing values, the attacker maps controlled memory as executable in kernel context. - Finally, a controlled transition is triggered to run attacker code in ring 0. - If started by process other than Awesome Miner: - Attacker gains or starts from a standard user session on a host with the miner installed. - Attacker opens a handle to the vulnerable device object exposed by the helper driver. - Attacker issues crafted IOCTLs to write specific MSRs that control page tables or interrupt handlers. - By carefully choosing values, the attacker maps controlled memory as executable in kernel context. - Finally, a controlled transition is triggered to run attacker code in ring 0. Impact Full local privilege escalation to kernel/SYSTEM. Ability to bypass OS security boundaries and tamper with security tooling. Potential for stealthy persistence in kernel space. Feasibility of sandbox or container escape depending on deployment model. Recommendations It is highly recommended to avoid any software that makes use of WinRing0 as it is a highly exploitable driver that can lead to total compromise of your system. From the software developer side of things, it is recommended to use alternative components to allow manipulation of manufacturer-specific registers.