{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/158530#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nThe PCTCore64.sys Windows kernel driver from PC Tools Internet Security exposes its `\\\\.\\PCTCoreDriver` device interface with no access control, allowing any user-mode process to interact with the driver and invoke privileged IOCTL (I/O Control) commands. In a Bring Your Own Vulnerable Driver (BYOVD) scenario, a local attacker with the ability to load a Windows driver can exploit the exposed interface to perform sensitive low-level operations on the target device.\r\n\r\n### Description\r\nPCTCore64.sys is a Windows kernel driver that implements system monitoring and protection functionality on local Windows systems. The driver creates a Windows Driver Model (WDM) device object `\\\\.\\PCTCoreDriver` via `IoCreateDevice` and provides user-mode access through a DOS device symbolic link via `IoCreateSymbolicLink`.\r\n\r\nThe driver exposes privileged functionality intended for administrative or security operations; however, the device object is created without a restrictive security descriptor. Specifically, the driver does not apply [security best practices](https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language) using either Security Descriptor Definition Language (SDDL) or the `IoCreateDeviceSecure` API, allowing unprivileged user-mode processes to open handles to the device and issue privileged IOCTL requests.\r\n\r\nAs a result, an attacker may invoke IOCTL handlers capable of performing sensitive low-level operations, including:\r\n\r\n* System-wide handle enumeration\r\n* Cross-process handle manipulation\r\n* Credential extraction from `lsass.exe`\r\n* Forced termination of arbitrary processes, including Protected Process Light (PPL)-protected processes\r\n\r\nAlthough the original PC Tools Internet Security product line was discontinued in 2013 and is no longer maintained, the driver remains signed and can still be abused in BYOVD attacks. An attacker may load the vulnerable driver on a target system and leverage the exposed IOCTL interface to access privileged kernel functionality.\r\n\r\nOne vulnerable IOCTL permits the acquisition of a `PROCESS_ALL_ACCESS` handle to sensitive processes such as `lsass.exe`, enabling credential theft operations including extraction of NTLM hashes and Kerberos authentication material. Additional IOCTL handlers permit the termination of arbitrary processes regardless of PPL protections, enabling attackers to disable security software such as Microsoft Defender and other critical system services. Other exposed interfaces enable arbitrary handle operations against external processes, potentially resulting in process instability, crashes, or undefined behavior. Collectively, these vulnerabilities can be exploited to provide a practical attack path for credential theft, defense evasion, privilege escalation, and broader system compromise.\r\n\r\n**CVE-2026-8501** Improper access control in the PCTCore64.sys Windows kernel driver from PC Tools Internet Security allows user-mode processes to access the PCTCoreDriver WDM device interface and invoke privileged IOCTL handlers. A local attacker with the ability to access or load the affected driver can exploit this vulnerability to perform sensitive and privileged operations on the target system.\r\n\r\n### Impact\r\nA local attacker with the ability to load a Windows kernel driver may exploit the vulnerable PCTCore64.sys driver to access sensitive processes such as `lsass.exe` and other PPL-protected services. Successful exploitation can enable credential theft, arbitrary process termination, denial-of-service (DoS) conditions, and broader system compromise through privileged kernel-level operations.\r\n\r\n### Solution\r\nThe PC Tools Internet Security product line and its PCTCore64.sys driver are no longer actively maintained and should not be used in production environments. Organizations should remove and block the vulnerable driver where possible and implement mitigations designed to reduce exposure to BYOVD attacks, including restricting administrative privileges, enforcing Microsoft [recommended driver block rules](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules), and enabling protections such as Hypervisor-Protected Code Integrity (HVCI), Windows Defender Application Control (WDAC), and Credential Guard.\r\n\r\n### Acknowledgements\r\nThanks to Tzachi Hazan for researching and reporting this vulnerability. This document was written by Molly Jaconski.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/158530"}],"title":"PCTCore64.sys Windows kernel driver contains missing access control vulnerability","tracking":{"current_release_date":"2026-06-01T16:21:07+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.42"}},"id":"VU#158530","initial_release_date":"2026-06-01 16:21:07.202497+00:00","revision_history":[{"date":"2026-06-01T16:21:07+00:00","number":"1.20260601162107.1","summary":"Released on 2026-06-01T16:21:07+00:00"}],"status":"final","version":"1.20260601162107.1"}},"vulnerabilities":[{"title":"Improper access control in the PCTCore64.","notes":[{"category":"summary","text":"Improper access control in the PCTCore64.sys Windows kernel driver from PC Tools Internet Security allows user-mode processes to access the PCTCoreDriver WDM device interface and invoke privileged IOCTL handlers. A local attacker with the ability to access or load the affected driver can exploit this vulnerability to perform sensitive and privileged operations on the target system."}],"cve":"CVE-2026-8501","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#158530"}],"product_status":{"known_not_affected":["CSAFPID-47dd53a6-5dea-11f1-8c68-0afff74df6a7"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-47dd53a6-5dea-11f1-8c68-0afff74df6a7"}}]}}