CVE-2025-14963
Published: 24 February 2026
Summary
CVE-2025-14963 is a high-severity Improper Input Validation (CWE-20) vulnerability in Trellix Endpoint Security. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique LSASS Memory (T1003.001); ranked at the 7.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SA-18 (Tamper Resistance and Detection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the specific vulnerability in the fekern.sys driver to eliminate the privilege escalation risk.
Prohibits local users from installing or loading unauthorized vulnerable drivers required for the BYOVD exploitation technique.
Implements tamper resistance and detection mechanisms that restrict unauthorized communication with the vulnerable driver to authorized processes only, matching the CVE's described mitigation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables local privilege escalation via driver manipulation and provides access to LSASS memory for credential dumping.
NVD Description
A vulnerability identified in the HX Agent driver file fekern.sys allowed a threat actor with local user access the ability to gain elevated system privileges. Utilization of a Bring Your Own Vulnerable Driver (BYOVD) was leveraged to gain access to…
more
the critical Windows process memory lsass.exe (Local Security Authority Subsystem Service). The fekern.sys is a driver file associated with the HX Agent (used in all existing HX Agent versions). The vulnerable driver installed in a product or a system running a fully functional HX Agent is, itself, not exploitable as the product’s tamper protection restricts the ability to communicate with the driver to only the Agent’s processes.
Deeper analysisAI
CVE-2025-14963 is a vulnerability in the HX Agent driver file fekern.sys, which affects all existing versions of the HX Agent. The issue, classified under CWE-20 with NVD-CWE-noinfo, enables a threat actor with local user access to gain elevated system privileges. This is achieved through a Bring Your Own Vulnerable Driver (BYOVD) technique that provides access to the memory of the critical Windows process lsass.exe (Local Security Authority Subsystem Service). The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker requires local user privileges on the target system to exploit this vulnerability. Successful exploitation allows elevation to system-level privileges by manipulating the vulnerable driver to read and potentially alter lsass.exe process memory. However, the vulnerable driver is not exploitable when installed in a product or system running a fully functional HX Agent, as the product's tamper protection limits driver communication to only the Agent's processes.
Mitigation guidance is available in the Trellix advisory at https://thrive.trellix.com/s/article/000015100.
Details
- CWE(s)