nicm.sys
Novell Client kernel driver
nicm.sys is a kernel driver from the Novell Client, used in enterprise environments that ran Novell NetWare or eDirectory file-and-print services. CVE-2013-3956 documented a local privilege escalation through the driver: a specially-formed IOCTL request supplies a user-mode pointer that the driver calls as a function pointer, giving arbitrary kernel-mode code execution to any local user.
Why it persists on the catalog: although the supported Novell Client has been updated, older signed versions still load on modern Windows. The driver is not part of a typical gaming PC; its appearance normally traces back to a previous enterprise deployment.
If you find it on a personal system you do not recognize, uninstall the Novell Client through Windows' Apps & features.
nicm.sys is listed as a known-vulnerable driver on the public LOLDrivers project. 3 distinct binary hashes matching this filename are on record, meaning multiple versions of the file have been observed.
Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.
Vera Project. “nicm.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/nicm-sys
