This article details the exploitation of CVE-2025-8061 (CVSS 7.0 HIGH), a vulnerability in a signed Lenovo driver (LnvMSRIO.sys) enabling Bring Your Own Vulnerable Driver (BYOVD) attacks to achieve kernel-level (Ring 0) execution from user-land. The series documents the evolution of an exploit from proof-of-concept to a stealthy, automated kernel implant.
The complete C++ source, PrepareStack.asm, and the dummy vulnerable driver are in the project repository:CVE-2025-8061. This content was inspired by Quarkslab’s articleBYOVD to the next level Welcome to a four-part deep dive into modern Windows kernel exploitation. In this series, we explore the Bring Your Own Vulnerable Driver (BYOVD) attack surface by dissecting and weaponizingCVE-2025-8061, a vulnerability found in a legitimate, signed Lenovo driver (LnvMSRIO.sys). This series documents the complete evolution of an exploit, taking it from a fragile Proof of Concept to a stealthy, fully automated kernel implant: Understanding how attackers chain these primitives is the first step in building resilient defenses. Let’s dive in.