Cyber Resilience

CVE-2025-14963

Medium

Published: 24 February 2026

Published
24 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 6.2 CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 8.2th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14963 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Trellix Endpoint Security. Its CVSS base score is 6.2 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique LSASS Memory (T1003.001); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SA-18 (Tamper Resistance and Detection).

Deeper analysis

CVE-2025-14963 is a vulnerability in the HX Agent driver file fekern.sys, which affects all existing versions of the HX Agent. The issue, classified under CWE-20 with NVD-CWE-noinfo, enables a threat actor with local user access to gain elevated system privileges. This is achieved through a Bring Your Own Vulnerable Driver (BYOVD) technique that provides access to the memory of the critical Windows process lsass.exe (Local Security Authority Subsystem Service). The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker requires local user privileges on the target system to exploit this vulnerability. Successful exploitation allows elevation to system-level privileges by manipulating the vulnerable driver to read and potentially alter lsass.exe process memory. However, the vulnerable driver is not exploitable when installed in a product or system running a fully functional HX Agent, as the product's tamper protection limits driver communication to only the Agent's processes.

Mitigation guidance is available in the Trellix advisory at https://thrive.trellix.com/s/article/000015100.

EU & UK References

Vulnerability details

A vulnerability identified in the HX Agent driver file fekern.sys allowed a threat actor with local user access the ability to gain elevated system privileges. Utilization of a Bring Your Own Vulnerable Driver (BYOVD) was leveraged to gain access to…

more

the critical Windows process memory lsass.exe (Local Security Authority Subsystem Service). The fekern.sys is a driver file associated with the HX Agent (used in all existing HX Agent versions). The vulnerable driver installed in a product or a system running a fully functional HX Agent is, itself, not exploitable as the product’s tamper protection restricts the ability to communicate with the driver to only the Agent’s processes.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1003.001 LSASS Memory Credential Access
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Vulnerability directly enables local privilege escalation via driver manipulation and provides access to LSASS memory for credential dumping.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21234Shared CWE-20
CVE-2025-48647Shared CWE-20
CVE-2025-25210Shared CWE-20
CVE-2026-21733Shared CWE-20
CVE-2026-7905Shared CWE-20
CVE-2026-7997Shared CWE-20
CVE-2026-5174Shared CWE-20
CVE-2026-26170Shared CWE-20
CVE-2026-9914Shared CWE-20
CVE-2025-24255Shared CWE-20

Affected Assets

trellix
endpoint security
35.31.0-37, 36.30.0-17 · 30.0.0 — 34.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the specific vulnerability in the fekern.sys driver to eliminate the privilege escalation risk.

prevent

Prohibits local users from installing or loading unauthorized vulnerable drivers required for the BYOVD exploitation technique.

prevent

Implements tamper resistance and detection mechanisms that restrict unauthorized communication with the vulnerable driver to authorized processes only, matching the CVE's described mitigation.

References