Affected software
Endpoint HX Agent (xAgent) 36.30.0-17, 35.31.0-37, 34.x, 33.x, 30.x
Remediated / updated versions
xAgent - 36.30.37, 35.31.44
Impact
CVE-2025-14963 (CWE-20 Improper Input Validation; Severity: Medium). A vulnerability was identified in the Trellix HX Agent driver file fekern.sys, which could be leveraged outside the product to allow a threat actor with local user access the ability to gain elevated system privileges. A Bring Your Own Vulnerable Driver (BYOVD) could be used to gain access to the critical Windows process memory lsass.exe (Local Security Authority Subsystem Service). The fekern.sys is a driver file associated with Trellix HX Agent (used in all existing HX Agent versions). The vulnerable driver installed in a product or system running a fully functional HX Agent is, itself, not exploitable, as the product’s tamper protection restricts communication with the driver to only the agent’s processes. Trellix has not observed any exploitation of this vulnerability in the wild, and there is no evidence of attacks against HX customers. We have hardened the driver in new versions of the product that have been released.
Recommendation
Verify that you have applied the latest updates. Impacted users should install the relevant updates or hotfixes. For full instructions and information, see Knowledge Base article: Supported upgrade paths for Trellix Endpoint Security (HX) Server and HX Agent from legacy versions
The updated HX Agent builds include the following improvements:
- Driver access restricted to the Local System account
- Additional memory protections for critical Windows processes
- Security hardening beyond the originally reported issue
For a full list of changes, see the Release Notes:
Additional Resources:
Note: To receive information about product updates, sign up for the Support Notification Service.
For instructions, see the Thrive Portal User Guide and navigate to Profile and Settings > My Settings > Manage Support Notification Services (SNS) subscription preferences.