CVE-2011-1249

EXPLOITED

Microsoft Windows - Local Privilege Escalation via AFD.sys Input Validation

Title source: llm

Exploitation Summary

CVE-2011-1249 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including Tomislav Paskalev, fb1h2s, h3x0v3rl0rd.

AI-analyzed exploit summary This exploit targets CVE-2011-1249, a privilege escalation vulnerability in the Windows AFD driver (afd.sys) due to improper input validation. It allows local attackers to execute arbitrary code in kernel mode, gaining SYSTEM privileges.

Description

The Ancillary Function Driver (AFD) in afd.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability."

Exploits (6)

exploitdb WORKING POC VERIFIED

by Tomislav Paskalev · clocalwindows_x86

https://www.exploit-db.com/exploits/40564

View Code ZIP pw:eip

This exploit targets CVE-2011-1249, a privilege escalation vulnerability in the Windows AFD driver (afd.sys) due to improper input validation. It allows local attackers to execute arbitrary code in kernel mode, gaining SYSTEM privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows (multiple versions, x86)

Auth required

Prerequisites: Valid logon credentials · Local access · Unpatched system (KB2503665 or related patches not installed)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by fb1h2s · cdoswindows

https://www.exploit-db.com/exploits/18755

View Code ZIP pw:eip

This exploit targets CVE-2021-1249, a local privilege escalation vulnerability in Windows. It leverages the HalDispatchTable to overwrite memory and achieve SYSTEM privileges by replacing the current process token with the system token.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (XP and later)

No auth needed

Prerequisites: Local access to the target system · Ability to execute arbitrary code

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by h3x0v3rl0rd · poc

https://github.com/h3x0v3rl0rd/CVE-2011-1249

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2011-1249, a privilege escalation vulnerability in the Windows AFD driver. The exploit leverages improper input validation in the AFD to execute arbitrary code in kernel mode, granting SYSTEM privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows (multiple versions, including XP, Server 2003, Vista, Server 2008, 7)

Auth required

Prerequisites: Low privilege access to the target system · Unpatched Windows system (KB2503665 or related patches not installed)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by appl3b0y · local

https://github.com/appl3b0y/edb-40564-mingw-fix

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2011-1249, a privilege escalation vulnerability in the Windows AFD.sys driver. The exploit has been modified to fix MinGW cross-compilation issues and includes support for custom command execution.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows XP SP3 x86, Windows Server 2003 SP2 x86, Windows Vista SP1/SP2 x86, Windows Server 2008 x86, Windows 7 x86

Auth required

Prerequisites: valid logon credentials · local access to the target system · unpatched target OS

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 19, 2026 Full analysis →

nomisec STUB

by Madusanka99 · poc

https://github.com/Madusanka99/OHTS

View Code ZIP pw:eip

The repository contains only a README with a title mentioning CVE-2011-1249 but no exploit code, technical details, or analysis. It appears to be a placeholder or incomplete submission.

Classification

Stub 90%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: Microsoft Windows (afd.sys)

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

patchapalooza NO CODE

by Ascotbe · local

https://github.com/Ascotbe/Kernelhub

View Code ZIP pw:eip

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-046

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/40564/

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12731

Scores

EPSS 0.0332

EPSS Percentile 87.6%

Details

VulnCheck KEV 2011-06-30

CWE

CWE-264

Status published

Products (7)

microsoft/windows_2003_server

microsoft/windows_7 (2 CPE variants)

microsoft/windows_server_2003

microsoft/windows_server_2008 (6 CPE variants)

microsoft/windows_server_2008 r2 (2 CPE variants)

microsoft/windows_vista (2 CPE variants)

microsoft/windows_xp (2 CPE variants)

Published Jun 16, 2011

Tracked Since Feb 18, 2026