Known Exploited Vulnerabilities Privilege Escalation Capability Group

This zero-day vulnerability presents itself after an adversary has already infiltrated the victim's network and enables the adversary to obtain SYSTEM level privileges via Microsoft Windows Hyper-V product. As of now, details of how the attacker's methods to exploit this vulnerability are undisclosed.

CVE-2020-1472 is a privilege escalation vulnerability in Windows Netlogon. After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials.

This privilege escalation vulnerability can be exploited by sending a specially crafted HTTP request to the exchange server, is it often chained together with CVE-2021-34473, a remote code execution vulnerability.

CVE-2020-1472 is a privilege elevation vulnerability. The immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts.

CVE-2020-1472 is a privilege elevation vulnerability. The immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts.

CVE-2020-1472 is a privilege elevation vulnerability. The immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts.

This vulnerability allows adversaries with local access to escalate privileges to root. Adversaries have been observed chaining this following exploit of CVE-2022-22954.

This zero-day vulnerability presents itself after an adversary has already infiltrated the victim's network and enables the adversary to obtain SYSTEM level privileges via Microsoft Windows Hyper-V product. As of now, details of how the attacker's methods to exploit this vulnerability are undisclosed.

CVE-2019-0211 is a privilege escalation vulnerability in Apache HTTP Server with MPM event, worker, or prefork that allows an attacker to execute code with the privileges of that parent process (usually root).

Local escalation of privilege attack. Attacker would most likely gain access through an executable or script on the local computer sent to the user via an email attachment.

Local escalation of privilege attack. Attacker would most likely gain access through an executable or script on the local computer sent to the user via an email attachment.

This vulnerability is a zero-day exploit that is believed to still be utilized by various adversarial groups leading to limited publicly available exploitation information. The vulnerability is a "heap-based protector flood susceptibility impacting the Windows DWM Core Library" enabling an adversary to gain SYSTEM privileges.

This vulnerability is exploited when an adversary sends a specially-crafted email which can result in the disclosure of authentication information that an adversary can replay to gain access to systems.

This vulnerability is exploited when an adversary sends a specially-crafted email which can result in the disclosure of authentication information that an adversary can replay to gain access to systems.

This vulnerability is exploited when an adversary sends a specially-crafted email which can result in the disclosure of authentication information that an adversary can replay to gain access to systems.

CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access.

CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. CVE-2020-1472 has been reported to be exploited by Ransomware groups for initial access.

CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access.

CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access.

This vulnerability is exploited by an authenticated, local attacker in order to execute arbitrary code with root-level privileges by copying a crafted file to the disk0: file system. This is possible due to improper validation of a file when it is read from system flash memory. This vulnerability is associated with an attack campaign named ArcaneDoor in early 2024. This campaign targeted this vulnerability among others to implant malware, execute commands, and potentially exfiltrate data from compromised devices.

This vulnerability is exploited by an authenticated, local attacker in order to execute arbitrary code with root-level privileges by copying a crafted file to the disk0: file system. This is possible due to improper validation of a file when it is read from system flash memory. This vulnerability is associated with an attack campaign named ArcaneDoor in early 2024. This campaign targeted this vulnerability among others to implant malware, execute commands, and potentially exfiltrate data from compromised devices.

This vulnerability is exploited through improper access control in the Web User Interface feature of Cisco IOS XE software. Attackers first used this vulnerability to gain initial access by issuing a privilege level 15 command, which allowed them to create a local user account with a password.

This vulnerability is exploited through improper access control in the Web User Interface feature of Cisco IOS XE software. Attackers first used this vulnerability to gain initial access by issuing a privilege level 15 command, which allowed them to create a local user account with a password.

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain full SYSTEM level privileges. This CVE has been leveraged in the wild by Storm-0506 involved deploying Black Basta ransomware, initiated through a Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz for credential theft and lateral movement, eventually creating an "ESX Admins" group to encrypt the ESXi file system and disrupt hosted VMs. Based on the described exploitation of CVE-2023-28252 and the associated attack activities, the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could be linked to this CVE:

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain full SYSTEM level privileges. This CVE has been leveraged in the wild by Storm-0506 involved deploying Black Basta ransomware, initiated through a Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz for credential theft and lateral movement, eventually creating an "ESX Admins" group to encrypt the ESXi file system and disrupt hosted VMs. Based on the described exploitation of CVE-2023-28252 and the associated attack activities, the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could be linked to this CVE:

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain full SYSTEM level privileges. This CVE has been leveraged in the wild by Storm-0506 involved deploying Black Basta ransomware, initiated through a Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz for credential theft and lateral movement, eventually creating an "ESX Admins" group to encrypt the ESXi file system and disrupt hosted VMs. Based on the described exploitation of CVE-2023-28252 and the associated attack activities, the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could be linked to this CVE:

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain full SYSTEM level privileges. This CVE has been leveraged in the wild by Storm-0506 involved deploying Black Basta ransomware, initiated through a Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz for credential theft and lateral movement, eventually creating an "ESX Admins" group to encrypt the ESXi file system and disrupt hosted VMs. Based on the described exploitation of CVE-2023-28252 and the associated attack activities, the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could be linked to this CVE:

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain full SYSTEM level privileges. This CVE has been leveraged in the wild by Storm-0506 involved deploying Black Basta ransomware, initiated through a Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz for credential theft and lateral movement, eventually creating an "ESX Admins" group to encrypt the ESXi file system and disrupt hosted VMs. Based on the described exploitation of CVE-2023-28252 and the associated attack activities, the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could be linked to this CVE:

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain full SYSTEM level privileges. This CVE has been leveraged in the wild by Storm-0506 involved deploying Black Basta ransomware, initiated through a Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz for credential theft and lateral movement, eventually creating an "ESX Admins" group to encrypt the ESXi file system and disrupt hosted VMs. Based on the described exploitation of CVE-2023-28252 and the associated attack activities, the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could be linked to this CVE:

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain full SYSTEM level privileges. This CVE has been leveraged in the wild by Storm-0506 involved deploying Black Basta ransomware, initiated through a Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz for credential theft and lateral movement, eventually creating an "ESX Admins" group to encrypt the ESXi file system and disrupt hosted VMs.

This vulnerability is exploited by an authenticated adversary. It is identified as requiring local access via Microsoft; however, other reports have identified remote, authenticated adversaries can exploit this vulnerability. A successful exploitation would grant an attacker SYSTEM level privileges. This vulnerability has been exploited in the wild; however, technical details of how this was leveraged in an attack has not been publicly shared.

This vulnerability is exploited by an authenticated adversary. It is identified as requiring local access via Microsoft; however, other reports have identified remote, authenticated adversaries can exploit this vulnerability. A successful exploitation would grant an attacker SYSTEM level privileges. This vulnerability has been exploited in the wild; however, technical details of how this was leveraged in an attack has not been publicly shared.

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain limited SYSTEM level privileges. This vulnerability has been exploited in the wild; however, no technical information has been published related to the exploitation. Microsoft has identified that successful exploitation of this vulnerability requires an attacker to win a race condition.

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain limited SYSTEM level privileges. This vulnerability has been exploited in the wild; however, no technical information has been published related to the exploitation. Microsoft has identified that successful exploitation of this vulnerability requires an attacker to win a race condition.

This vulnerability is exploited by an adversary who has already gained local access to the victim system. To exploit this vulnerability, the adversary needs to already have access to the system and must also "win a race condition". If successfully exploited, the adversary would gain elevated privileges on the victim system. This vulnerability has been identified as exploited in the wild; however, technical exploitation details have not been publicly shared.

This vulnerability is exploited by an adversary who has already gained local access to the victim system. To exploit this vulnerability, the adversary needs to already have access to the system and must also "win a race condition". If successfully exploited, the adversary would gain elevated privileges on the victim system. This vulnerability has been identified as exploited in the wild; however, technical exploitation details have not been publicly shared.

This vulnerability is exploited by an adversary who has already gained local access to the victim system. The adversary gains access to the vulnerability either by social engineering, a separate exploit, or malware. Exploiting this vulnerability grants the adversary elevated privileges on the victim system. This vulnerability has been identified as being exploited in the wild; however, technical details of how the vulnerability has been leveraged by a hacker or APT have not been publicly released.

This vulnerability is exploited by an adversary who has already gained local access to the victim system. The adversary gains access to the vulnerability either by social engineering, a separate exploit, or malware. Exploiting this vulnerability grants the adversary elevated privileges on the victim system. This vulnerability has been identified as being exploited in the wild; however, technical details of how the vulnerability has been leveraged by a hacker or APT have not been publicly released.

This vulnerability is exploited by an adversary who already has access to the victim system. This vulnerability, also known as SpoolFool, is a local privilege escalation vulnerability in the Windows Print Spooler service, which manages print operations on Windows systems. This vulnerability allows attackers to execute code with SYSTEM-level privileges by exploiting the `SpoolDirectory` configuration setting. The `SpoolDirectory` is writable by all users and can be manipulated using the `SetPrinterDataEx()` function, provided the attacker has `PRINTER_ACCESS_ADMINISTER` permissions. The exploit involves creating a directory junction and using a Universal Naming Convention (UNC) path to write a malicious DLL to a privileged directory, such as `C:\Windows\System32\spool\drivers\x64\4`. This DLL is then loaded and executed by the Print Spooler service, granting the attacker elevated privileges. This method circumvents previous security checks designed to prevent privilege escalation through the Print Spooler. The vulnerability has been exploited in the wild, with attackers using tools like the SpoolFool proof of concept (PoC) published on GitHub. One observed attack involved creating a local administrator account with a default password, indicating the potential for significant system compromise. The Gelsemium APT group has been linked to activity exploiting this vulnerability, highlighting its use in advanced persistent threat campaigns.

This vulnerability is exploited by an adversary who already has access to the victim system. This vulnerability, also known as SpoolFool, is a local privilege escalation vulnerability in the Windows Print Spooler service, which manages print operations on Windows systems. This vulnerability allows attackers to execute code with SYSTEM-level privileges by exploiting the `SpoolDirectory` configuration setting. The `SpoolDirectory` is writable by all users and can be manipulated using the `SetPrinterDataEx()` function, provided the attacker has `PRINTER_ACCESS_ADMINISTER` permissions. The exploit involves creating a directory junction and using a Universal Naming Convention (UNC) path to write a malicious DLL to a privileged directory, such as `C:\Windows\System32\spool\drivers\x64\4`. This DLL is then loaded and executed by the Print Spooler service, granting the attacker elevated privileges. This method circumvents previous security checks designed to prevent privilege escalation through the Print Spooler. The vulnerability has been exploited in the wild, with attackers using tools like the SpoolFool proof of concept (PoC) published on GitHub. One observed attack involved creating a local administrator account with a default password, indicating the potential for significant system compromise. The Gelsemium APT group has been linked to activity exploiting this vulnerability, highlighting its use in advanced persistent threat campaigns.

This vulnerability is exploited by an adversary who already has access to the victim system. This vulnerability, also known as SpoolFool, is a local privilege escalation vulnerability in the Windows Print Spooler service, which manages print operations on Windows systems. This vulnerability allows attackers to execute code with SYSTEM-level privileges by exploiting the `SpoolDirectory` configuration setting. The `SpoolDirectory` is writable by all users and can be manipulated using the `SetPrinterDataEx()` function, provided the attacker has `PRINTER_ACCESS_ADMINISTER` permissions. The exploit involves creating a directory junction and using a Universal Naming Convention (UNC) path to write a malicious DLL to a privileged directory, such as `C:\Windows\System32\spool\drivers\x64\4`. This DLL is then loaded and executed by the Print Spooler service, granting the attacker elevated privileges. This method circumvents previous security checks designed to prevent privilege escalation through the Print Spooler. The vulnerability has been exploited in the wild, with attackers using tools like the SpoolFool proof of concept (PoC) published on GitHub. One observed attack involved creating a local administrator account with a default password, indicating the potential for significant system compromise. The Gelsemium APT group has been linked to activity exploiting this vulnerability, highlighting its use in advanced persistent threat campaigns.

This vulnerability is exploited by an adversary who already has access to the victim system. This vulnerability, also known as SpoolFool, is a local privilege escalation vulnerability in the Windows Print Spooler service, which manages print operations on Windows systems. This vulnerability allows attackers to execute code with SYSTEM-level privileges by exploiting the `SpoolDirectory` configuration setting. The `SpoolDirectory` is writable by all users and can be manipulated using the `SetPrinterDataEx()` function, provided the attacker has `PRINTER_ACCESS_ADMINISTER` permissions. The exploit involves creating a directory junction and using a Universal Naming Convention (UNC) path to write a malicious DLL to a privileged directory, such as `C:\Windows\System32\spool\drivers\x64\4`. This DLL is then loaded and executed by the Print Spooler service, granting the attacker elevated privileges. This method circumvents previous security checks designed to prevent privilege escalation through the Print Spooler. The vulnerability has been exploited in the wild, with attackers using tools like the SpoolFool proof of concept (PoC) published on GitHub. One observed attack involved creating a local administrator account with a default password, indicating the potential for significant system compromise. The Gelsemium APT group has been linked to activity exploiting this vulnerability, highlighting its use in advanced persistent threat campaigns.

This vulnerability is exploited by an adversary who already has access to the victim system. This vulnerability, also known as SpoolFool, is a local privilege escalation vulnerability in the Windows Print Spooler service, which manages print operations on Windows systems. This vulnerability allows attackers to execute code with SYSTEM-level privileges by exploiting the `SpoolDirectory` configuration setting. The `SpoolDirectory` is writable by all users and can be manipulated using the `SetPrinterDataEx()` function, provided the attacker has `PRINTER_ACCESS_ADMINISTER` permissions. The exploit involves creating a directory junction and using a Universal Naming Convention (UNC) path to write a malicious DLL to a privileged directory, such as `C:\Windows\System32\spool\drivers\x64\4`. This DLL is then loaded and executed by the Print Spooler service, granting the attacker elevated privileges. This method circumvents previous security checks designed to prevent privilege escalation through the Print Spooler. The vulnerability has been exploited in the wild, with attackers using tools like the SpoolFool proof of concept (PoC) published on GitHub. One observed attack involved creating a local administrator account with a default password, indicating the potential for significant system compromise. The Gelsemium APT group has been linked to activity exploiting this vulnerability, highlighting its use in advanced persistent threat campaigns.

This vulnerability is leveraged by an adversary who has already gained local access to the victim system. The adversary exploits this vulnerability to elevate their privileges on the system via the Print Spooler, which could give the adversary the ability to distribute and install malicious programs on victims’ computers that can steal stored data This vulnerability has been actively exploited by cybercriminals to gain unauthorized access to corporate networks and resources. Details about who is exploiting this vulnerability and their exact movements have not been publicly shared.

This vulnerability is leveraged by an adversary who has already gained local access to the victim system. The adversary exploits this vulnerability to elevate their privileges on the system via the Print Spooler, which could give the adversary the ability to distribute and install malicious programs on victims’ computers that can steal stored data This vulnerability has been actively exploited by cybercriminals to gain unauthorized access to corporate networks and resources. Details about who is exploiting this vulnerability and their exact movements have not been publicly shared.

This vulnerability is exploited by an attacker who has obtained access to manipulate the Print Spooler service on the target system. The vulnerability lies in the Print Spooler, specifically involving XML manipulation and path traversal to a writable path containing a modified version of the `prntvpt.dll` file. This vulnerability has been exploited by threat actors to load unauthorized code on Windows systems. Attackers leveraged this flaw to execute arbitrary code, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the path traversal vulnerability to load a malicious DLL by manipulating the Print Spooler service. Once the vulnerability is exploited, attackers can bypass impersonation controls to load untrusted resources, thereby executing arbitrary code with elevated privileges.

This vulnerability is exploited by an attacker who has obtained access to manipulate the Print Spooler service on the target system. The vulnerability lies in the Print Spooler, specifically involving XML manipulation and path traversal to a writable path containing a modified version of the `prntvpt.dll` file. This vulnerability has been exploited by threat actors to load unauthorized code on Windows systems. Attackers leveraged this flaw to execute arbitrary code, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the path traversal vulnerability to load a malicious DLL by manipulating the Print Spooler service. Once the vulnerability is exploited, attackers can bypass impersonation controls to load untrusted resources, thereby executing arbitrary code with elevated privileges.

This vulnerability is exploited by an attacker who has obtained access to manipulate the Print Spooler service on the target system. The vulnerability lies in the Print Spooler, specifically involving XML manipulation and path traversal to a writable path containing a modified version of the `prntvpt.dll` file. This vulnerability has been exploited by threat actors to load unauthorized code on Windows systems. Attackers leveraged this flaw to execute arbitrary code, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the path traversal vulnerability to load a malicious DLL by manipulating the Print Spooler service. Once the vulnerability is exploited, attackers can bypass impersonation controls to load untrusted resources, thereby executing arbitrary code with elevated privileges.

This vulnerability is exploited by an attacker who has obtained access to the target system. The vulnerability lies in the Windows Common Log File System (CLFS) Driver, specifically due to improper bounds checking on the `cbSymbolZone` field in the Base Record Header for the base log file (BLF). This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves setting the `cbSymbolZone` field to an invalid offset, triggering an out-of-bound write that corrupts a pointer to the CClfsContainer object. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary actions with SYSTEM-level privileges. This allows them to achieve their objectives, such as disabling security applications and gaining full control over the compromised system.

This vulnerability is exploited by an attacker who has obtained access to the target system. The vulnerability lies in the Windows Common Log File System (CLFS) Driver, specifically due to improper bounds checking on the `cbSymbolZone` field in the Base Record Header for the base log file (BLF). This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves setting the `cbSymbolZone` field to an invalid offset, triggering an out-of-bound write that corrupts a pointer to the CClfsContainer object. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary actions with SYSTEM-level privileges. This allows them to achieve their objectives, such as disabling security applications and gaining full control over the compromised system.

This vulnerability is exploited by an attacker who has obtained access to the target system. The vulnerability lies in the Windows Common Log File System (CLFS) Driver, specifically due to improper bounds checking on the `cbSymbolZone` field in the Base Record Header for the base log file (BLF). This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves setting the `cbSymbolZone` field to an invalid offset, triggering an out-of-bound write that corrupts a pointer to the CClfsContainer object. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary actions with SYSTEM-level privileges. This allows them to achieve their objectives, such as disabling security applications and gaining full control over the compromised system.

CVE-2022-41033 is exploited by an attacker who has obtained access to the target system. The vulnerability lies in the Windows COM+ Event System Service, due to improper handling of privilege escalation scenarios. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves pairing the elevation of privilege vulnerability with other code-execution exploits, often through social engineering tactics such as enticing a user to open a malicious attachment or visit a harmful website. Once the vulnerability is exploited, attackers can manipulate system privileges to perform arbitrary actions with SYSTEM-level permissions. This allows them to achieve their objectives, such as installing programs, viewing or changing data, and creating new accounts with full user rights.

CVE-2022-41033 is exploited by an attacker who has obtained access to the target system. The vulnerability lies in the Windows COM+ Event System Service, due to improper handling of privilege escalation scenarios. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves pairing the elevation of privilege vulnerability with other code-execution exploits, often through social engineering tactics such as enticing a user to open a malicious attachment or visit a harmful website. Once the vulnerability is exploited, attackers can manipulate system privileges to perform arbitrary actions with SYSTEM-level permissions. This allows them to achieve their objectives, such as installing programs, viewing or changing data, and creating new accounts with full user rights.

This vulnerability is exploited by an attacker who has obtained local access with low privileges on the target system. The vulnerability lies in the Cryptography API: Next Generation (CNG) Key Isolation Service, specifically due to a memory overflow issue. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary commands with SYSTEM privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the memory overflow in the CNG Key Isolation Service to gain SYSTEM-level access. Once the vulnerability is exploited, attackers can manipulate system processes and access sensitive information stored in the service, such as cryptographic keys. This allows them to achieve their objectives, such as executing code with elevated privileges and compromising the security of the affected system.

This vulnerability is exploited by an attacker who has obtained local access with low privileges on the target system. The vulnerability lies in the Cryptography API: Next Generation (CNG) Key Isolation Service, specifically due to a memory overflow issue. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary commands with SYSTEM privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the memory overflow in the CNG Key Isolation Service to gain SYSTEM-level access. Once the vulnerability is exploited, attackers can manipulate system processes and access sensitive information stored in the service, such as cryptographic keys. This allows them to achieve their objectives, such as executing code with elevated privileges and compromising the security of the affected system.

This vulnerability is exploited by an attacker who has obtained local access with low privileges on the target system. The vulnerability lies in the Cryptography API: Next Generation (CNG) Key Isolation Service, specifically due to a memory overflow issue. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary commands with SYSTEM privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the memory overflow in the CNG Key Isolation Service to gain SYSTEM-level access. Once the vulnerability is exploited, attackers can manipulate system processes and access sensitive information stored in the service, such as cryptographic keys. This allows them to achieve their objectives, such as executing code with elevated privileges and compromising the security of the affected system.

This vulnerability is exploited by an attacker who has obtained local access tothe target system. The vulnerability lies in the Client Server Run-Time Subsystem (CSRSS) on Windows, specifically in the activation context caching mechanism, due to improper handling of crafted assembly manifests. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system-level commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves creating a malicious activation context by providing a crafted assembly manifest, which is cached and used the next time the process spawns. Once the vulnerability is exploited, attackers can load a malicious DLL to achieve system-level code execution. This allows them to achieve their objectives, such as executing arbitrary code with elevated privileges, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained local access tothe target system. The vulnerability lies in the Client Server Run-Time Subsystem (CSRSS) on Windows, specifically in the activation context caching mechanism, due to improper handling of crafted assembly manifests. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system-level commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves creating a malicious activation context by providing a crafted assembly manifest, which is cached and used the next time the process spawns. Once the vulnerability is exploited, attackers can load a malicious DLL to achieve system-level code execution. This allows them to achieve their objectives, such as executing arbitrary code with elevated privileges, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained local access tothe target system. The vulnerability lies in the Client Server Run-Time Subsystem (CSRSS) on Windows, specifically in the activation context caching mechanism, due to improper handling of crafted assembly manifests. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system-level commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves creating a malicious activation context by providing a crafted assembly manifest, which is cached and used the next time the process spawns. Once the vulnerability is exploited, attackers can load a malicious DLL to achieve system-level code execution. This allows them to achieve their objectives, such as executing arbitrary code with elevated privileges, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained local access tothe target system. The vulnerability lies in the Client Server Run-Time Subsystem (CSRSS) on Windows, specifically in the activation context caching mechanism, due to improper handling of crafted assembly manifests. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system-level commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves creating a malicious activation context by providing a crafted assembly manifest, which is cached and used the next time the process spawns. Once the vulnerability is exploited, attackers can load a malicious DLL to achieve system-level code execution. This allows them to achieve their objectives, such as executing arbitrary code with elevated privileges, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has already obtained access to a target system to execute code. The vulnerability lies in the Common Log File System (CLFS) driver, specifically in the `CClfsBaseFilePersisted::LoadContainerQ()` function, due to a logic bug in handling container context objects. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary code with system-level privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in ransomware campaigns. It involves corrupting the `pContainer` field of a container context object with a user-mode address by using malformed BLF files. Once the vulnerability is exploited, attackers can manipulate memory to execute code with elevated privileges. This allows them to achieve their objectives, such as stealing the System token and gaining full control over the compromised system.

This vulnerability is exploited by an attacker who has already obtained access to a target system to execute code. The vulnerability lies in the Common Log File System (CLFS) driver, specifically in the `CClfsBaseFilePersisted::LoadContainerQ()` function, due to a logic bug in handling container context objects. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary code with system-level privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in ransomware campaigns. It involves corrupting the `pContainer` field of a container context object with a user-mode address by using malformed BLF files. Once the vulnerability is exploited, attackers can manipulate memory to execute code with elevated privileges. This allows them to achieve their objectives, such as stealing the System token and gaining full control over the compromised system.

This vulnerability is exploited by an attacker who has already obtained access to a target system to execute code. The vulnerability lies in the Common Log File System (CLFS) driver, specifically in the `CClfsBaseFilePersisted::LoadContainerQ()` function, due to a logic bug in handling container context objects. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary code with system-level privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in ransomware campaigns. It involves corrupting the `pContainer` field of a container context object with a user-mode address by using malformed BLF files. Once the vulnerability is exploited, attackers can manipulate memory to execute code with elevated privileges. This allows them to achieve their objectives, such as stealing the System token and gaining full control over the compromised system.

This vulnerability is exploited by a local or remote adversary who already has access to the system. The vulnerability enables the attacker to elevate their privileges due to over permissive ACLs on system file and elevate their privileges to SYSTEM level. By exploiting this vulnerability an attacker could gain the ability to run arbitrary code, install programs, view/modify/delete data, or create new user accounts with full rights.

This vulnerability is exploited by a local or remote adversary who already has access to the system. The vulnerability enables the attacker to elevate their privileges due to over permissive ACLs on system file and elevate their privileges to SYSTEM level. By exploiting this vulnerability an attacker could gain the ability to run arbitrary code, install programs, view/modify/delete data, or create new user accounts with full rights.

This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.

This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system's user.

The vulnerability in Microsoft Windows allows local attackers to escalate privileges by exploiting a flaw in the Windows Installer service. By creating a junction, attackers can delete targeted files or directories, potentially executing arbitrary code with SYSTEM privileges. However, attackers must already have access and the ability to execute low-privileged code on the target system to exploit this vulnerability. This vulnerability has been identified as exploited in the wild; however, specific details on how the vulnerability was exploited have not been publicly released.

The vulnerability in Microsoft Windows allows local attackers to escalate privileges by exploiting a flaw in the Windows Installer service. By creating a junction, attackers can delete targeted files or directories, potentially executing arbitrary code with SYSTEM privileges. However, attackers must already have access and the ability to execute low-privileged code on the target system to exploit this vulnerability. This vulnerability has been identified as exploited in the wild; however, specific details on how the vulnerability was exploited have not been publicly released.