Britec News

BYOVD Attacks Are Evolving Faster Than Most Businesses Realize

Making Vulnerable Drivers Exploitable Without Hardware – The BYOVD Perspective

BYOVD attacks (Bring Your Own Vulnerable Driver) continue to evolve, and new research is showing just how flexible these attacks have become. Security researchers recently demonstrated that many vulnerable Windows kernel drivers can still be loaded, accessed, and potentially exploited without the original hardware ever being present.

Traditionally, certain drivers were thought to be “hardware-gated,” meaning the vulnerable functionality could only be reached if a specific physical device existed on the system. The research challenges that assumption by showing how attackers can use software-emulated devices and spoofed hardware IDs to trick Windows into loading vulnerable drivers anyway.

Once loaded, these drivers may expose kernel-level functionality that attackers can abuse to disable security controls, terminate protected processes, interfere with EDR tools, or gain deeper access into the operating system. This is one reason BYOVD attacks remain popular in ransomware and post-exploitation campaigns.

The research also highlights an uncomfortable reality in cybersecurity: trusted, signed drivers can still become attack paths if they contain vulnerabilities and aren’t properly managed. Attackers don’t always need malware that looks suspicious. Sometimes they simply abuse legitimate components already trusted by the system.

What businesses should be paying attention to:

  • Vulnerable or outdated drivers still present in the environment
  • Unexpected driver loads or strange device creation activity
  • Weak administrative controls that allow driver installation
  • Systems missing Microsoft’s vulnerable driver blocklist protections
  • Endpoint protection tools that aren’t monitoring kernel-level abuse

What you can do:

  • Regularly audit installed drivers and remove outdated ones
  • Enforce driver allowlists and Microsoft-recommended blocklists
  • Keep endpoint protection and EDR solutions updated
  • Restrict local administrator access wherever possible
  • Monitor for suspicious kernel or driver-related activity

Attackers are continuing to look lower in the stack because that’s where many traditional protections become harder to enforce. The organizations that stay ahead are the ones reviewing not just applications and users, but the trusted components running underneath everything else.

Need help reviewing your endpoint security posture or identifying risky drivers in your environment? Reach out to Britec and let’s keep it fun.

‹ Back to Britec News