CVE-2015-1701

CVSS 7.8 HIGHEPSS 56.2%● KEV

Vexday Risk Score

98Fix now

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 7.8EPSS 56.2%KEV simPoC públicaNuclei —Metasploit simPatch referenciado

Lifecycle

21 Apr 2015Published on NVD

12 May 2015Metasploit module available

12 May 2015Public PoC

03 Mar 2022Active exploitation (CISA KEV)

Recommendation: Patch as soon as possible — active exploitation confirmed.

Who exploits it — 1

Groups known to exploit this vulnerability (MITRE ATT&CK attribution).

APT / StateAPT28Rússia

In short

A flaw in Windows kernel drivers allows a local user to run a specially crafted program that grants them admin-level access to the system. This was actively exploited by attackers in April 2015.

Technical detail

Win32k.sys kernel-mode driver contains an elevation of privilege vulnerability exploitable by local authenticated users through a crafted application. Pre-condition requires local code execution capability; successful exploitation grants SYSTEM-level privileges, enabling complete system compromise.

Summary generated and translated by AI from the official description.

Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka "Win32k Elevation of Privilege Vulnerability."

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

public PoCs found — 8

githubgithub.com/hfiref0x/CVE-2015-1701★ 293 githubgithub.com/Anonymous-Family/CVE-2015-1701-download★ 0 githubgithub.com/gousseine-systems/vuln-rabilit-windows7★ 0 githubgithub.com/Anonymous-Family/CVE-2015-1701★ 0 exploitdbwww.exploit-db.com/exploits/37049unverified cve_referencewww.exploit-db.com/exploits/37367/unverified exploitdbwww.exploit-db.com/exploits/37367unverified cve_referencewww.exploit-db.com/exploits/37049/unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-051 http://seclists.org/fulldisclosure/2020/May/34 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-1701 https://www.exploit-db.com/exploits/37049/https://www.exploit-db.com/exploits/37367/https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html http://twitter.com/symantec/statuses/590208710527549440 http://www.securityfocus.com/bid/74245 http://www.securitytracker.com/id/1032155