CVE-2010-0232

HIGH KEV

Windows SYSTEM Escalation via KiTrap0D

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2010-0232 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022. EIP tracks 3 public exploits from researchers including Tavis Ormandy, azorfus, Tavis Ormandy, HD Moore, code to meterpreter module, , # Port of Tavis, OJ Reeves, including a Metasploit module exploits/windows/local/ms10_015_kitrap0d.

AI-analyzed exploit summary This is a detailed technical analysis of CVE-2010-0232, explaining how the Windows NT #GP Trap Handler vulnerability allows local privilege escalation by manipulating the kernel stack. It includes root cause analysis, affected software, and mitigation strategies.

Description

The kernel in Microsoft Windows NT 3.1 through Windows 7, including Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges by crafting a VDM_TIB data structure in the Thread Environment Block (TEB), and then calling the NtVdmControl function to start the Windows Virtual DOS Machine (aka NTVDM) subsystem, leading to improperly handled exceptions involving the #GP trap handler (nt!KiTrap0D), aka "Windows Kernel Exception Handler Vulnerability."

Exploits (3)

exploitdb WRITEUP VERIFIED
by Tavis Ormandy · textlocalwindows
https://www.exploit-db.com/exploits/11199

This is a detailed technical analysis of CVE-2010-0232, explaining how the Windows NT #GP Trap Handler vulnerability allows local privilege escalation by manipulating the kernel stack. It includes root cause analysis, affected software, and mitigation strategies.

Classification
Writeup 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows NT (all 32-bit x86 versions up to Windows 7)
No auth needed
Prerequisites: Access to a vulnerable Windows system · Ability to execute arbitrary code in user mode
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by azorfus · local
https://github.com/azorfus/CVE-2010-0232

This repository contains a functional local privilege escalation exploit for CVE-2010-0232, targeting a vulnerability in the Windows NT kernel's NtVdmControl function. The exploit leverages the KiTrap0d vulnerability to escalate privileges to SYSTEM by manipulating the VDM subsystem.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows NT/2K/XP/2K3/VISTA/2K8/7
No auth needed
Prerequisites: Access to a vulnerable Windows system · Ability to execute arbitrary code on the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC GREAT
by Tavis Ormandy, HD Moore, code to meterpreter module, , # Port of Tavis, OJ Reeves · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms10_015_kitrap0d.rb

This Metasploit module exploits CVE-2010-0232 (KiTrap0D) to escalate privileges to SYSTEM on vulnerable Windows systems (x86 only). It uses reflective DLL injection to execute the exploit payload.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows 2000 SP4 to Windows 7 (x86)
Auth required
Prerequisites: Existing session on target · x86 architecture · Vulnerable Windows version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (15)

Core 15
Core References
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-015
Broken Link, Patch, Vendor Advisory x_refsource_confirm
http://www.microsoft.com/technet/security/advisory/979682.mspx
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA10-040A.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1023471
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2010/Jan/341
Broken Link, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/0179
Broken Link, Exploit, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/37864
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/38265
Broken Link, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/509106/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/55742

Scores

CVSS v3 7.8
EPSS 0.7520
EPSS Percentile 98.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-03
VulnCheck KEV 2016-08-04
InTheWild.io 2022-03-03
ENISA EUVD EUVD-2010-0263
Status published
Products (3)
microsoft/windows_2000
microsoft/windows_7
microsoft/windows_xp (2 CPE variants)
Published Jan 21, 2010
KEV Added Mar 03, 2022
Tracked Since Feb 18, 2026