CVE-2006-6952

Computer Associates HIPS - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2006-6952. PoCs published by Ruben Santamarta.

AI-analyzed exploit summary This exploit leverages a local privilege escalation vulnerability in CA Personal Firewall 2007 by injecting a malicious callback function via DeviceIoControl to execute arbitrary code with SYSTEM privileges. It triggers the payload by sending an ICMP echo request.

Description

Computer Associates Host Intrusion Prevention System (HIPS) drivers (1) Core kmxstart.sys 6.5.4.31 and (2) Firewall kmxfw.sys 6.5.4.10 allow local users to gain privileges by using certain privileged IOCTLs to modify callback function pointers.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Ruben Santamarta · clocalwindows
https://www.exploit-db.com/exploits/29070

This exploit leverages a local privilege escalation vulnerability in CA Personal Firewall 2007 by injecting a malicious callback function via DeviceIoControl to execute arbitrary code with SYSTEM privileges. It triggers the payload by sending an ICMP echo request.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: CA Personal Firewall 2007 (v9.0) Engine version 1.0.173 and prior, CA Internet Security Suite 2007 version 3.0 with CA Personal Firewall 2007 version 9.0 Engine version 1.0.173 and prior
No auth needed
Prerequisites: Local access to the vulnerable system · Vulnerable CA Personal Firewall or Internet Security Suite installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Ruben Santamarta · clocalwindows
https://www.exploit-db.com/exploits/29069

This exploit targets a local privilege escalation vulnerability in CA Personal Firewall 2007 by injecting a malicious callback into the Kmxfw.sys driver via DeviceIoControl. It then triggers the callback by sending an ICMP echo request, executing arbitrary code in Ring0 (kernel mode).

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: CA Personal Firewall 2007 (v9.0) Engine version 1.0.173 and prior, CA Internet Security Suite 2007 version 3.0 with CA Personal Firewall 2007 version 9.0 Engine version 1.0.173 and prior
No auth needed
Prerequisites: Local access to the vulnerable system · Vulnerable CA Personal Firewall or Internet Security Suite installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/452286/100/0/threaded
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/21140
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/30497
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/451952/100/0/threaded
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22972
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/30498
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/458040/100/200/threaded

Scores

EPSS 0.0102
EPSS Percentile 58.9%

Details

Status published
Products (2)
ca/host-based_intrusion_prevention_system core_6.5.4.31
ca/host-based_intrusion_prevention_system firewall_6.5.4.10
Published Jan 24, 2007
Tracked Since Feb 18, 2026