CVE-2004-0894

Windows 2000/2003 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2004-0894. PoCs published by Cesar Cerrudo.

AI-analyzed exploit summary This exploit leverages a token impersonation vulnerability in the Windows Installer service (msi.dll) to escalate privileges to Local System. It replaces utilman.exe with notepad.exe, allowing command execution with elevated privileges via WinKey+U.

Description

LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Cesar Cerrudo · c++localwindows

https://www.exploit-db.com/exploits/749

View Code ZIP pw:eip

This exploit leverages a token impersonation vulnerability in the Windows Installer service (msi.dll) to escalate privileges to Local System. It replaces utilman.exe with notepad.exe, allowing command execution with elevated privileges via WinKey+U.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (affected versions include Windows XP and Windows Server 2003)

No auth needed

Prerequisites: Access to a vulnerable Windows system · Ability to execute arbitrary code on the target

MITRE ATT&CK

T1134 - Access Token Manipulation T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (8)

Core 8

Core References

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4368

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2062

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3312

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/18340

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A778

Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-044

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3325

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1888

Scores

EPSS 0.0107

EPSS Percentile 78.2%

Details

Status published

Products (8)

microsoft/windows_2000 (5 CPE variants)

microsoft/windows_2003_server datacenter_64-bit sp1_beta_1

microsoft/windows_2003_server enterprise (2 CPE variants)

microsoft/windows_2003_server enterprise_64-bit (2 CPE variants)

microsoft/windows_2003_server r2 (3 CPE variants)

microsoft/windows_2003_server standard (2 CPE variants)

microsoft/windows_2003_server web (2 CPE variants)

microsoft/windows_xp (9 CPE variants)

Published Jan 10, 2005

Tracked Since Feb 18, 2026