Home/ Blog/ Security news/ Article
Blog · Security news

EaseUS Partition Master left a Windows driver that lets any user seize the whole PC

A signed driver in EaseUS Partition Master (CVE-2026-12781) lets any standard Windows user read and overwrite the whole disk to reach SYSTEM. Patch and block

Layered disc of concentric tracks with one line cutting through to the center
By Suriq's Jack · ·Security news · 4 min read Mitigate now

EaseUS pushed a fix and moved on. The fix is the least important thing here. What matters is that a signed Windows kernel driver, the kind the operating system trusts the moment it loads, now carries a public flaw and a public exploit, and a signature does not expire the day a bug is found.

CVE-2026-12781 was published on June 21, 2026 and lives in epmntdrv.sys, a kernel driver that EaseUS Partition Master installs to handle low-level disk work. Builds 14.0 through 14.5 are affected. The driver registers an old-style device name that any logged-in account can open, with no administrator rights in the picture. From there the caller points it at a full physical disk and reads or writes the sectors directly. The severity score is 7.8, the attack is local, and according to the researcher writeup a working exploit is already public.

What a normal user can actually do with it

Windows file permissions decide who is allowed to open a file. They say nothing about who can read the raw sectors of the disk underneath that file. That gap is the whole bug.

A standard account cannot open another user's protected files or the registry hive that holds password material through normal Windows calls. With this driver it skips the question entirely. It reads the disk by sector offset, below the permission check, and it can write the same way. The advisory tags the issue as incorrect privilege assignment and improper access control. The read side spills the contents of protected files; the write side lets an attacker rewrite the sectors that store the registry, service settings, and other data a normal user should never reach. That is a short walk from an ordinary login to full SYSTEM control.

Why updating EaseUS does not close the door

The technique here is called bring your own vulnerable driver, or BYOVD: an attacker supplies a legitimately signed driver that has a known flaw, loads it, and rides the flaw into the Windows kernel. Security software has no reason to stop the driver, because the signature is genuine. We have written before about how this same trick is now packaged and handed to ransomware affiliates.

EaseUS says the problem was only in older builds and is resolved in the current release. Both things can be true and still miss the point. The flawed epmntdrv.sys is signed, and an attacker who already has a foothold can carry that old signed file onto a machine that never had EaseUS installed, load it, and get the same raw disk access. Patching your own copy of the tool does nothing about the copy an intruder brings along.

This is not hypothetical. The same driver has a violent history. In February 2022 the HermeticWiper malware, used in destructive attacks against organizations in Ukraine, bundled epmntdrv.sys from EaseUS Partition Master and used it to overwrite drives at the sector level, as Cisco Talos has documented. A driver that can write any sector on a disk is exactly the primitive a wiper, a stealthy kernel implant, or a privilege-escalation chain is looking for, which is why this family of tools keeps turning up in real intrusions.

What to do now

Treat this as a driver-blocking problem, not a software-update problem. Updating the application is fine, but it is not the control that matters.

  • Block the driver by hash. Turn on the Microsoft Vulnerable Driver Blocklist and pair it with memory integrity (HVCI) so a known-bad signed driver is refused even though its signature checks out.

  • Put kernel drivers under application control. An allow-list approach with Windows Defender Application Control (WDAC) means an unexpected driver like this one cannot load on a server that never needed it.

  • Check it against LOLDrivers. The LOLDrivers project catalogs known vulnerable and malicious drivers. Match epmntdrv.sys (SHA-256 D0653356A2D3128256B3996AADAB10108C72CA0B13FEF85C0051784A8D906179) against your approved-driver baseline and flag any host where it loads unexpectedly.

  • Hunt the behavior, not the name. Watch for a rarely-seen signed driver loading, especially a non-administrative process opening a handle to a raw physical-disk device, followed by reads or writes against sensitive locations. The filename will change; the behavior will not.

The lesson outlasts this one tool. Every signed driver that can touch raw disk or kernel memory is a privilege-escalation primitive waiting for a flaw, and code signing was never built to revoke trust the moment a bug surfaces. Until driver allow-listing is the default rather than the exception, each new entry on the vulnerable-driver list is one more key an attacker can carry through your front door.

Topics
Privilege escalationVulnerable drivers (BYOVD)

Frequently asked questions

What is CVE-2026-12781?

CVE-2026-12781 is a local privilege-escalation flaw in epmntdrv.sys, a kernel driver installed by EaseUS Partition Master versions 14.0 through 14.5. Any logged-in user can open the driver, point it at a physical disk, and read or write raw sectors, bypassing Windows file permissions to reach SYSTEM.

Can an attacker exploit this without administrator rights?

Yes. The whole point of the flaw is that a standard, non-administrative account can open the driver and issue raw disk reads and writes. The attack is local, so the attacker needs some access to the machine first, but no elevated rights are required to escalate.

Does updating EaseUS Partition Master remove the risk?

Not by itself. EaseUS says newer builds resolve the issue, but the vulnerable epmntdrv.sys is validly signed. An attacker can drop that old signed driver onto any machine, including ones that never ran EaseUS, and load it. The durable fix is blocking the driver, not just updating the app.

Is CVE-2026-12781 being exploited?

A public proof-of-concept exploit is already circulating, per the researcher writeup and the CVE record. There is no confirmed mass exploitation yet, but the same driver, epmntdrv.sys, was weaponized by the HermeticWiper malware in 2022, so abuse of this driver class is well documented.

How do defenders block the vulnerable epmntdrv.sys driver?

Enable the Microsoft Vulnerable Driver Blocklist with memory integrity (HVCI) so the signed driver is refused, and add kernel drivers to Windows Defender Application Control. Cross-reference the driver against the LOLDrivers project and alert when a rarely-seen signed driver opens a raw physical-disk handle.

Keep reading
Security news

Your Squid proxy can leak other users' passwords, and the 7.6 update won't fix it

Squidbleed (CVE-2026-47729) leaks memory from Squid proxies in default config, including login credentials. A public exploit is out, and 7.6 does not patch it.

Noam Alum · Jun 22, 2026
Security news

That decade-old router you forgot is now scanning networks for attackers

A botnet called AryStinger hijacked over 4,300 end-of-life D-Link and Linksys routers into a distributed scanning grid for reconnaissance, not DDoS. What to do.

Suriq's Jack · Jun 21, 2026
Security news

Millions of hacked TV boxes now rent attackers a trusted home IP. Your blocklist can't see it.

Researchers linked the Popa botnet of 2 million hacked TV boxes to a residential proxy service. Here is why IP reputation no longer stops account takeovers.

Suriq's Jack · Jun 21, 2026

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.

Request access Meet the clan