CVE-2009-0080

EXPLOITED

Windows Vista Gold/SP1 & Server 2008 - Privilege Escalation

Title source: llm

Description

The ThreadPool class in Windows Vista Gold and SP1, and Server 2008, does not properly implement isolation among a set of distinct processes that (1) all run under the NetworkService account or (2) all run under the LocalService account, which allows local users to gain privileges by leveraging incorrect thread ACLs to access the resources of one of the processes, aka "Windows Thread Pool ACL Weakness Vulnerability."

Exploits (1)

exploitdb SUSPICIOUS VERIFIED

by Cesar Cerrudo · textlocalwindows

https://www.exploit-db.com/exploits/32893

View Code ZIP pw:eip

References (6)

[Broken Link] http://osvdb.org/53668

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id?1022044

[Third Party Advisory, US Government Resource] http://www.us-cert.gov/cas/techalerts/TA09-104A.html

[Permissions Required] http://www.vupen.com/english/advisories/2009/1026

[Patch, Vendor Advisory] https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-012

[Third Party Advisory] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6177

Scores

EPSS 0.0215

EPSS Percentile 84.3%

Details

VulnCheck KEV 2009-04-14

CWE

CWE-269

Status published

Products (2)

microsoft/windows_server_2008

microsoft/windows_vista (4 CPE variants)

Published Apr 15, 2009

Tracked Since Feb 18, 2026