Trellix HX Agent Privilege Escalation Vulnerability via Vulnerable Driver

Vulnerability

A vulnerability in the Trellix HX Agent driver file fekern.sys allows local users to gain elevated system privileges. This issue arises from the exploitation of a vulnerable driver in conjunction with the Bring Your Own Vulnerable Driver (BYOVD) technique, enabling access to critical Windows process memory, specifically lsass.exe (Local Security Authority Subsystem Service). The fekern.sys driver is associated with all existing versions of Trellix HX Agent). However, the vulnerability cannot be exploited directly, as the product's tamper protection limits communication with the driver to the agent's processes.

Impact

Exploitation of this vulnerability allows local users to gain elevated system privileges, potentially leading to unauthorized access or modifications within the system.

Added: Feb 24, 2026, 6:35 PM

Updated: Feb 24, 2026, 10:07 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

3.6

remediation

0.0

relevance

3.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

3.6

remediation

0.0

relevance

3.1

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Trellix HX Agent Privilege Escalation Vulnerability via Vulnerable Driver

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating