Metasploit Exploits
3,315 exploits tracked across all sources.
Microsoft Internet Explorer 10-11 - Privilege Escalation
Microsoft Internet Explorer 10 and 11 allows local users to bypass the Protected Mode protection mechanism, and consequently gain privileges, by leveraging the ability to execute sandboxed code, aka "Internet Explorer Elevation of Privilege Vulnerability."
by James Forshaw, juan vazquez
Windows 10 1507-21H1, Windows 11, Windows Server 2004-2019 - Use-After-Free in Win32k
Win32k Elevation of Privilege Vulnerability
by IronHusky, Costin Raiu, Boris Larin, Red Raindrop Team of Qi, , # detailed analysis report in Chinese showing how to replicate the vulnerability, , # First Public POC targeting Windows 10 build 14393
CVSS 7.8
Ricoh Printer Drivers - Local Privilege Escalation via Incorrect Permission Assignment
An issue was discovered in Ricoh (including Savin and Lanier) Windows printer drivers prior to 2020 that allows attackers local privilege escalation. Affected drivers and versions are: PCL6 Driver for Universal Print - Version 4.0 or later PS Driver for Universal Print - Version 4.0 or later PC FAX Generic Driver - All versions Generic PCL5 Driver - All versions RPCS Driver - All versions PostScript3 Driver - All versions PCL6 (PCL XL) Driver - All versions RPCS Raster Driver - All version
by Alexander Pudwill, Pentagrid AG, Shelby Pace
CVSS 7.8
Windows - Elevation of Privilege via ALPC
An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC), aka "Windows ALPC Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
by SandboxEscaper, bwatters-r7, asoto-r7, Jacob Robles
CVSS 7.8
Windows UPnP Service - Privilege Escalation via COM Object Creation
An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly allows COM object creation, aka 'Windows UPnP Service Elevation of Privilege Vulnerability'.
by NCC Group, hoangprod, bwatters-r7
CVSS 7.8
NVIDIA Display Driver <307.78 & R310<311.00 - Privilege Escalation/DoS via Exception Handling
The NVIDIA driver before 307.78, and Release 310 before 311.00, in the NVIDIA Display Driver service on Windows does not properly handle exceptions, which allows local users to gain privileges or cause a denial of service (memory overwrite) via a crafted application.
by Peter Wintersmith, Ben Campbell
Windows - Elevation of Privilege in Win32k Component
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
by ze0r, Kaspersky Lab, Jacob Robles
CVSS 7.8
Microsoft Windows Server 2003 SP2 - Privilege Escalation
Microsoft Windows Server 2003 SP2 allows local users to gain privileges via a crafted IOCTL call to (1) tcpip.sys or (2) tcpip6.sys, aka "TCP/IP Elevation of Privilege Vulnerability."
Cisco Webex Meetings <33.6.4 & Productivity Tools 32.6.0-33.0.6 OS Command Injection
A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools.
CVSS 7.8
Microsoft Windows - Kernel ASLR Bypass via Crafted Application
The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows local users to bypass the ASLR protection mechanism via a crafted application, aka "Kernel ASLR Bypass Vulnerability."
by Eugene Ching, Mateusz Jurczyk, Cedric Halbronn, juan vazquez
Windows NT and Windows 2000 - Unauthenticated Local Account Access via Default Null Password
A Windows NT local user or administrator account has a default, null, blank, or missing password.
by egypt, jabra
Microsoft Windows - Privilege Escalation via AhcVerifyAdminContext Impersonation Token Bypass
The AhcVerifyAdminContext function in ahcache.sys in the Application Compatibility component in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not verify that an impersonation token is associated with an administrative account, which allows local users to gain privileges by running AppCompatCache.exe with a crafted DLL file, aka MSRC ID 20544 or "Microsoft Application Compatibility Infrastructure Elevation of Privilege Vulnerability."
by James Forshaw, sinn3r
Windows NT and Windows 2000 - Unauthenticated Local Account Access via Default Null Password
A Windows NT local user or administrator account has a default, null, blank, or missing password.
by Ben Campbell
Oracle VM VirtualBox <4.3.12 - Unknown
Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect integrity and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-2486.
NSClient++ <0.5.2.35 - Privilege Escalation
A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API.
This behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions.
by kindredsec, BZYO
CVSS 7.8
Microsoft Windows Shell LNK Code Execution
Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, leading to DLL loading during Windows Explorer access to the icon of a crafted shortcut, aka "DLL Planting Remote Code Execution Vulnerability."
by Uncredited, Yorick Koster, Spencer McIntyre
Windows Error Reporting Service - Privilege Escalation
Windows Error Reporting Service Elevation of Privilege Vulnerability
by Filip Dragović (Wh04m1001), Octoberfest7, bwatters-r7
CVSS 7.8
Windows Ancillary Function Driver - Privilege Escalation
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
by chompie, b33f, Yarden Shafir, Christophe De La Fuente
CVSS 7.8
Windows Kernel-Mode Driver - Privilege Escalation
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
by AngelBoy, varwara, jheysel-r7
CVSS 7.8
Windows Defender - Elevation of Privilege via Arbitrary File Deletion
An elevation of privilege vulnerability exists in Windows Defender that leads arbitrary file deletion on the system.To exploit the vulnerability, an attacker would first have to log on to the system, aka 'Microsoft Windows Defender Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1163.
by James Foreshaw, Grant Willcox
CVSS 7.8
Win32k ConsoleControl Offset Confusion
Win32k Elevation of Privilege Vulnerability
by BITTER APT, JinQuan, MaDongZe, TuXiaoYi, LiHao, L4ys, KaLendsi, Spencer McIntyre
CVSS 7.0
Razer Synapse <2.20.15.1104 - Privilege Escalation
A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse 2.20.15.1104 that is forwarded to ZwOpenProcess allowing a handle to be opened to an arbitrary process.
CVSS 9.8
GOG Galaxy < 1.2.64 and 2.0.x <= 2.0.12 - Local Privilege Escalation via GalaxyClientService
The GalaxyClientService component of GOG Galaxy runs with elevated SYSTEM privileges in a Windows environment. Due to the software shipping with embedded, static RSA private key, an attacker with this key material and local user permissions can effectively send any operating system command to the service for execution in this elevated context. The service listens for such commands on a locally-bound network port, localhost:9978. A Metasploit module has been published which exploits this vulnerability. This issue affects the 2.0.x branch of the software (2.0.12 and earlier) as well as the 1.2.x branch (1.2.64 and earlier). A fix was issued for the 2.0.x branch of the affected software.
CVSS 8.4
Lenovo System Update < 5.06.0027 - Privilege Escalation via Predictable Security Token
Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses predictable security tokens, which allows local users to gain privileges by sending a valid token with a command to the System Update service (SUService.exe) through an unspecified named pipe.
by Michael Milvich, Sofiane Talmat, h0ng10
Windows User Profile Service - Privilege Escalation
Windows User Profile Service Elevation of Privilege Vulnerability
by KLINIX5, Grant Willcox
CVSS 7.0
By Source