Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ThrottleStop code execution and privilege escalation flaw (CVE-2025-7771)

Vulnerability
First reported
Last updated
Happening score
H score 20
1 unique sources, 1 articles

Summary

Hide ▲

CVE-2025-7771 in ThrottleStop.sys is being abused to enable kernel-level code execution and privilege escalation. In the observed BYOVD chain, the vulnerable driver is used to kill AV and EDR processes, weakening enterprise defenses before ransomware encryption. The flaw matters because it turns a legitimate signed driver into a practical defense-bypass mechanism.

Related Happenings

Linux distributions mitigation advisories for CVE-2026-31431

Advisory/Mitigation
First: 30.04.2026 12:24 Last: 30.04.2026 12:24 Sources 1

About this happening: Multiple **Linux distributions** released advisories for **CVE-2026-31431**, adding mitigation guidance for a **Linux kernel local privilege escalation** that can let an unprivile...

Open Happening

The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up

Threat Actor Meta
First: 21.04.2026 17:00 Last: 21.04.2026 17:00 Sources 1

How related: Trend Micro researchers detailed the tactics, techniques, and procedures (TTPs) of The Gentlemen ransomware gang, which was first observed this summer.

About this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...

Open Happening

Reynolds ransomware BYOVD defense-evasion activity

Malware Activity
First: 10.02.2026 16:36 Last: 10.02.2026 16:36 Sources 1

About this happening: The **Reynolds** ransomware family now matters because it bundles a **vulnerable NsecSoft NSecKrnl driver** inside the payload to disable **EDR** and terminate security processes...

Open Happening

The Gentlemen ransomware vendor-specific AV/EDR bypass activity

Malware Activity
First: 11.09.2025 23:42 Last: 11.09.2025 23:42 Sources 1

How related: Trend Micro found the ransomware is weaponizing a legitimate vulnerable driver, ThrottleStop.sys, to kill the processes of antivirus (AV) programs and other security products like extended detection and response (EDR) platforms.

About this happening: The **Gentlemen ransomware** gang is now abusing **ThrottleStop.sys** and related tools to kill **AV** and **EDR** defenses, increasing the chance that encrypted attacks reach tar...

Open Happening

Timeline

  1. 11.09.2025 23:42 2 articles · 8mo ago

    Trend Micro details CVE-2025-7771 abuse in ThrottleStop.sys

    Technical Analysis Update

    Trend Micro detailed how The Gentlemen ransomware gang is weaponizing CVE-2025-7771 in ThrottleStop.sys, renamed ThrottleBlood.sys, to gain kernel-level access and terminate AV and EDR processes before ransomware encryption. The group also uses All.exe, PowerRun.exe, and Allpatch2.exe to adapt bypasses to victim-specific defenses, and Trend Micro recommended zero-trust controls plus monitoring for renamed AV-killer tooling and unusual driver-plus-executable combinations.

    Show sources
    Open in new tab