MediumPublic exploit

Arbitrary PPL Process Termination in Topaz Antifraud wsftprm.sys

IdentifiersCVE-2023-52271CWE-269

Topaz Antifraud's signed kernel driver wsftprm.sys version 2.0.0.0 contains a local vulnerability that allows a low-privileged attacker to send a crafted IOCTL to the driver and terminate arbitrary processes, including Protected Process Light (PPL) processes. Based on the provided content, the flaw is exposed through the driver's device control interface and results in privileged kernel-mediated process termination without proper authorization checks. The issue has been described publicly as enabling low-privileged users to kill any PPL process, making it suitable for bring-your-own-vulnerable-driver (BYOVD) abuse.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker with local code execution as a low-privileged user to terminate arbitrary userland processes, including security-sensitive PPL-protected processes. In practice, this can be used to disable or impair endpoint protection, EDR, AV, and other defensive tooling that relies on protected processes, materially weakening host defenses and facilitating follow-on actions such as credential theft, persistence, lateral movement, ransomware deployment, or other malicious activity. The content also indicates the driver has been abused in real-world BYOVD tradecraft to suppress security tools.

Mitigation

If you can’t patch tonight, do this now.

Prevent loading of wsftprm.sys through driver blocklisting and application control policies where operationally feasible. Monitor for unexpected loading of Topaz Antifraud drivers, suspicious access to the driver's device object, and anomalous process termination events affecting security products or PPL processes. Restrict administrative pathways that permit driver installation, enable kernel-mode driver block rules, and use EDR detections for BYOVD behavior. If the driver is present but not needed, remove it from endpoints and gold images. The supplied content notes concern that the driver was reportedly not on Microsoft's driver blocklist at the time referenced, so defenders may need to implement explicit custom blocking.

Remediation

Patch, then assume compromise.

Update, remove, or replace the vulnerable Topaz Antifraud wsftprm.sys driver version 2.0.0.0 with a vendor-fixed version if one is available. If the software or driver is not required, uninstall it entirely and ensure the vulnerable driver binary cannot be loaded. Review and enforce enterprise controls for vulnerable driver management, including Microsoft Defender Application Control (MDAC/WDAC), Hypervisor-Protected Code Integrity where applicable, and driver allow/block policies. Because the content does not provide a specific fixed version or vendor advisory, that information is currently not available.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app

BYOVD-CVE-2023-52271-POCMaturityPoCVerified exploit

Repository contains a small Windows C++ proof-of-concept exploit for CVE-2023-52271 targeting the Warsaw driver wsftprm.sys (noted in README as version 2.0.0.0). Structure is minimal: README.md (description/links) and main.cpp (the exploit). main.cpp implements a local, driver-based process-killing tool: it enumerates running processes via Toolhelp32 APIs, matches against a hardcoded list of Microsoft Defender/Windows security process names, and for each match opens the device \\.\Warsaw_PM and sends DeviceIoControl with IOCTL 0x22201C. The input buffer is 1036 bytes with the target PID placed in the first 4 bytes, which is intended to trigger the vulnerable driver behavior to terminate even PPL-protected processes. The program loops once per second until interrupted (CTRL+C), making it suitable for repeatedly killing respawning security services. No network communication is present; the key fingerprintable artifacts are the driver device path (\\.\Warsaw_PM), the IOCTL code (0x22201C), and the targeted process name list.

victoniDisclosed Jan 21, 2026c++markdownlocal

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

TopazevolutionAntifraudapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

17 SOURCESView more in app

the hacker newsNews

Jun 18, 2026

DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

A specific vulnerable driver referenced as being used in BYOVD activity to help silence security software and support post-compromise operations.

hackreadNews

Jun 18, 2026

DragonForce Ransomware Abused Microsoft Teams to Hide Malware Activity

A documented driver vulnerability in Topaz Antifraud that DragonForce attackers exploited as part of BYOVD-based defense evasion to disable security tools.

cyber security newsNews

Jun 16, 2026

Hackers Weaponize Microsoft Teams Relay to hide Malware Traffic

A specific vulnerable driver issue referenced as being abused in a BYOVD defense-evasion chain to disable security tools at the kernel level during the intrusion.

bleeping computerNews

Jun 16, 2026

Ransomware gang abuses Microsoft Teams relays to hide malicious traffic

A vulnerable driver flaw in Topaz Antifraud wsftprm.sys that was abused as part of BYOVD tactics to gain kernel-level privileges and disable security tools.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence6

Every observed campaign linking this CVE to a named adversary.

Associated malware10

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity11

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2023-52271

NVD

nvd.nist.gov/vuln/detail/CVE-2023-52271

MITRE CWE · CWE-269

cwe.mitre.org

Third Party Advisory

northwave-cybersecurity.com/vulnerability-notice-topaz-antifraud

Product

topazevolution.com/en/antifraud