CVE-2025-0221 · A vulnerability has been found in IOBit Protected Folder up to 1.3.0 and classified as problematic.

01 · The Real Story

This is a breaker switch inside one apartment, not a fire in the whole building

CVE-2025-0221 is a local null-pointer dereference in pffilter.sys, the driver behind IObit Protected Folder, affecting versions up to and including 1.3.0. A user-mode process with local access can talk to the driver's IOCTL handler (0x22200c) and trigger a crash path that causes availability impact only—think driver crash / BSOD / local denial of service, not code execution, privilege escalation, or data theft.

The vendor/CNA MEDIUM 5.5 score is technically fair in a vacuum, but it overstates enterprise urgency. The decisive real-world friction is that this requires local code execution plus local privileges on a host that already has this niche product installed, and the outcome is only single-host disruption. For a 10,000-host program, this is backlog hygiene, not an interrupt-the-week emergency.

"Local low-privilege BSOD in a niche endpoint tool: annoying, real, but not a patch fire drill"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get code running on the endpoint

An attacker first needs local execution on a Windows machine that has IObit Protected Folder installed. In practice this means a logged-in user, a foothold from malware, RMM abuse, or another post-compromise execution path using tools like powershell.exe, cmd.exe, or a dropper. This is already post-initial-access territory.

Conditions required:

Windows host with IObit Protected Folder installed
Ability to run code locally
At least low local privileges

Where this breaks in practice:

Not remotely reachable over the network
Requires the software to be present at all
Most enterprise fleets do not standardize on this consumer-style utility

Detection/coverage: Traditional network scanners will not find exploitation conditions. EDR can usually see the precursor: suspicious local code execution on a host with the product installed.

STEP 02

Open the device and send the crafted IOCTL

With code running locally, the attacker opens a handle to the Protected Folder driver device and sends the vulnerable control code to the IOCTL handler in pffilter.sys. Public exploit material is referenced by NVD via the shareforall.notion.site proof-of-concept, so the trigger is not theoretical.

Conditions required:

Access to the driver's device interface from user mode
Knowledge of the vulnerable IOCTL path

Where this breaks in practice:

Exploit value is low because the bug yields DoS, not elevation
Application control, WDAC, or EDR can block the untrusted helper binary or script before the IOCTL is sent

Detection/coverage: Coverage is mostly behavioral. EDR/kernel telemetry may catch unusual device-handle activity, but commodity vuln scanners generally will not validate this path.

STEP 03

Trigger the null dereference in kernel space

The malformed request reaches the driver's vulnerable code path and triggers a null pointer dereference. Because this happens in a kernel driver, the practical effect is typically a system crash or instability, creating local denial of service.

Conditions required:

Vulnerable driver version present
Successful invocation of the buggy code path

Where this breaks in practice:

No confidentiality or integrity gain from the bug itself
Blast radius is normally one host at a time

Detection/coverage: You may see Windows crash artifacts, bugcheck events, WER data, or abrupt endpoint reboots. Security tooling often recognizes the crash aftermath better than the exploit trigger.

STEP 04

Impact stays narrow

The attacker can disrupt the host, but the vulnerability does not inherently expand access, pivot, or cross tenant boundaries. In enterprise terms, this is a host-level nuisance or sabotage primitive after compromise, not a scalable intrusion accelerant.

Conditions required:

Attacker already has endpoint foothold

Where this breaks in practice:

Single-endpoint availability impact only
No remote wormability
No evidence of meaningful broad exploitation campaigns

Detection/coverage: SOC visibility comes from the compromise chain around it, not from internet exposure management.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No known active exploitation evidence found in authoritative public sources reviewed; NVD notes a public exploit reference, but that is PoC/public disclosure, not campaign evidence.
Proof-of-concept availability	Yes. NVD references a public exploit write-up/PoC on `shareforall.notion.site`; inTheWild.io also tracks that exploit reference.
EPSS	0.00066 from the user-provided intel block, which is extremely low and consistent with a niche local DoS issue rather than an internet-scale attacker favorite.
KEV status	Not listed in CISA KEV per the user-provided intel block; that aligns with the absence of broad exploitation pressure.
CVSS vector meaning	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H` means local attack, low complexity, low privileges required, no user interaction, and availability-only impact.
Affected versions	IObit Protected Folder up to and including 1.3.0; NVD/OpenCVE also reflect the affected 1.0/1.1/1.2/1.3 line.
Fixed version	No public fixed version located. IObit's public product page still lists `V 1.3.0`, and no vendor advisory or patched build was found in reviewed sources.
External exposure	Effectively none as an internet-facing attack surface. This is a local Windows endpoint driver issue, not a remotely reachable service; exposure depends on software presence on endpoints, not Shodan/Censys discoverability.
Disclosure timeline	Disclosed 2025-01-05; NVD shows publication on 2025-01-05 and modification on 2025-01-23.
Reporter / source	CVE record metadata mirrored by OpenCVE credits TopGun (VulDB User) and shows VulDB as the CNA/source lineage.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (2.8/10)

The single biggest downward driver is that exploitation requires local access on a host already running this specific product, which makes it a post-compromise availability bug rather than an intrusion vector. Even with a public PoC, the blast radius is usually one endpoint reboot or crash, not domain-wide compromise.

HIGH Attack-position assessment: this is local, post-initial-access, and non-remote

MEDIUM Patch availability assessment: no public fixed version/vendor advisory was found in reviewed sources

Why this verdict

Down from vendor 5.5: AV:L is not a small detail; it means the attacker is already on the box, so this vulnerability does not help with initial access.
Further down: PR:L implies a logged-in user or equivalent foothold, which compounds the post-compromise requirement instead of broadening exposure.
Further down: impact is A:H only; there is no confidentiality, integrity, or privilege-escalation payoff in the published scoring and descriptions.
Further down: the affected product appears to be a niche endpoint utility, not a core enterprise platform with ubiquitous managed deployment.
Slight upward pressure: a public PoC/exploit reference exists, so the bug is reproducible and should not be dismissed as purely theoretical.

Why not higher?

There is no remote reachability, no authentication bypass, no privilege escalation, and no evidence that exploiting this bug turns a minor foothold into materially greater control. In a real enterprise kill chain, an attacker who already has local execution generally has easier and more useful ways to cause disruption than crashing this specific third-party driver.

Why not lower?

I would not mark it IGNORE because kernel-driver bugs can still create real workstation/server instability, and public PoC availability lowers the effort for a malicious insider or already-landed malware to weaponize it. If this product is present on sensitive endpoints, you should still track it and reduce exposure rather than hand-wave it away.

05 · Compensating Control

What to do — in priority order.

Inventory the product — Identify where IObit Protected Folder is installed, including the presence of pffilter.sys, so you know whether the issue exists at all. For a LOW verdict there is no mitigation SLA; do this as normal vulnerability hygiene while planning remediation inside the 365-day window.
Restrict untrusted code execution — Use WDAC/AppLocker/EDR policy to block unsigned or unapproved binaries and scripts from running on endpoints with this software. That directly cuts off the prerequisite local execution step; for a LOW finding, fold this into normal hardening rather than treating it as an emergency.
Remove the software where unnecessary — If Protected Folder is not a business requirement, uninstall it from managed endpoints and VDI images. This eliminates the vulnerable driver entirely and is usually a better answer than waiting for a vendor patch that may never arrive; complete under the 365-day remediation window.
Watch for crash patterns — Add detection for repeated bugchecks, sudden reboots, or user-mode tools targeting the driver on systems where Protected Folder is installed. This will not prevent exploitation, but it helps you distinguish accidental instability from deliberate endpoint sabotage during the remediation period.

What doesn't work

A WAF does nothing here because there is no HTTP-facing attack path.
Internet perimeter blocking or NGFW rules do not materially help because the exploit path is local device I/O, not inbound network traffic.
Vulnerability scanning from the network will not reliably validate exploitability; the important question is software presence on the host, not port exposure.

06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host or through your endpoint management tool as Administrator. Example: powershell.exe -ExecutionPolicy Bypass -File .\Test-CVE-2025-0221.ps1. It checks for IObit Protected Folder and the pffilter.sys driver version; because no public fixed version was found, any installed version <= 1.3.0 is treated as VULNERABLE.

noisgate-verify.ps1

POWERSHELLREAD-ONLYSAFE

# Test-CVE-2025-0221.ps1

# Checks whether IObit Protected Folder / pffilter.sys is present and vulnerable.

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'Stop'

function Write-Result {
    param(
        [string]$State,
        [int]$Code,
        [string]$Detail
    )
    Write-Output ("{0} - {1}" -f $State, $Detail)
    exit $Code
}

function Parse-Version {
    param([string]$Value)
    try {
        return [version]$Value
    } catch {
        return $null
    }
}

try {
    $paths = @(
        "$env:ProgramFiles\IObit\Protected Folder\pffilter.sys",
        "$env:ProgramFiles\IObit\Protected Folder\drivers\pffilter.sys",
        "$env:ProgramFiles(x86)\IObit\Protected Folder\pffilter.sys",
        "$env:ProgramFiles(x86)\IObit\Protected Folder\drivers\pffilter.sys"
    )

    $driver = $paths | Where-Object { Test-Path $_ } | Select-Object -First 1

    $uninstallRoots = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
    )

    $app = Get-ItemProperty $uninstallRoots -ErrorAction SilentlyContinue |
        Where-Object {
            $_.DisplayName -match 'Protected Folder' -or $_.Publisher -match 'IObit'
        } |
        Sort-Object DisplayVersion -Descending |
        Select-Object -First 1

    $appVersion = $null
    if ($app -and $app.DisplayVersion) {
        $appVersion = Parse-Version $app.DisplayVersion
    }

    $driverVersion = $null
    if ($driver) {
        $fvi = [System.Diagnostics.FileVersionInfo]::GetVersionInfo($driver)
        if ($fvi -and $fvi.FileVersion) {
            $driverVersion = Parse-Version $fvi.FileVersion
        }
    }

    $threshold = [version]'1.3.0.0'

    if (-not $driver -and -not $app) {
        Write-Result -State 'PATCHED' -Code 0 -Detail 'IObit Protected Folder not installed; host not affected.'
    }

    if ($appVersion -and $appVersion -le $threshold) {
        Write-Result -State 'VULNERABLE' -Code 1 -Detail ("Installed product version {0} is <= 1.3.0." -f $appVersion)
    }

    if ($driverVersion -and $driverVersion -le $threshold) {
        Write-Result -State 'VULNERABLE' -Code 1 -Detail ("Driver version {0} is <= 1.3.0 at {1}." -f $driverVersion, $driver)
    }

    if ($appVersion -and $appVersion -gt $threshold) {
        Write-Result -State 'PATCHED' -Code 0 -Detail ("Installed product version {0} is > 1.3.0." -f $appVersion)
    }

    if ($driverVersion -and $driverVersion -gt $threshold) {
        Write-Result -State 'PATCHED' -Code 0 -Detail ("Driver version {0} is > 1.3.0 at {1}." -f $driverVersion, $driver)
    }

    Write-Result -State 'UNKNOWN' -Code 2 -Detail 'Protected Folder artifacts found, but version could not be determined confidently.'
}
catch {
    Write-Result -State 'UNKNOWN' -Code 2 -Detail $_.Exception.Message
}

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: first verify whether you even run this software. For a LOW verdict, there is no noisgate mitigation SLA — treat it as backlog hygiene and go straight to the noisgate remediation SLA of ≤365 days; if the product is unnecessary, remove it from images and endpoints during the next normal software-rationalization cycle, and if it is required, track vendor movement and contain risk with application-control policy rather than burning urgent patch bandwidth on a local availability-only bug.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.