CVE-2011-2005

HIGH KEV

Microsoft Windows XP/Server 2003 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2011-2005 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 28, 2022. EIP tracks 3 public exploits from researchers including Metasploit, ryujin, Ascotbe.

AI-analyzed exploit summary This Metasploit module exploits a kernel memory corruption vulnerability in afd.sys (CVE-2011-2005) to achieve local privilege escalation by overwriting the HalDispatchTable and triggering execution via NtQueryIntervalProfile. It elevates to SYSTEM and injects payload into another SYSTEM process.

Description

afd.sys in the Ancillary Function Driver in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly validate user-mode input passed to kernel mode, which allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability."

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/21844

This Metasploit module exploits a kernel memory corruption vulnerability in afd.sys (CVE-2011-2005) to achieve local privilege escalation by overwriting the HalDispatchTable and triggering execution via NtQueryIntervalProfile. It elevates to SYSTEM and injects payload into another SYSTEM process.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows XP SP2/SP3, Windows Server 2003 SP2 (afd.sys driver)
Auth required
Prerequisites: Local access to a vulnerable Windows system · Meterpreter session
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by ryujin · pythonlocalwindows
https://www.exploit-db.com/exploits/18176

This is a functional privilege escalation exploit for CVE-2011-2005 targeting the Afd.sys driver vulnerability in Windows XP and Windows Server 2003. It leverages a kernel memory corruption flaw to execute arbitrary code in kernel mode, specifically stealing a SYSTEM token for privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows XP SP3, Windows Server 2003 SP2
No auth needed
Prerequisites: Local access to the target system · 32-bit Windows XP SP3 or Windows Server 2003 SP2
devstral-2 · analyzed Feb 18, 2026 Full analysis →
patchapalooza WRITEUP
by Ascotbe · local
https://github.com/Ascotbe/Kernelhub

This repository contains documentation and configuration scripts for a collection of Windows exploits, including CVE-2003-0352, CVE-2006-3439, CVE-2008-1084, and others. It includes README files in both Chinese and English, as well as a Python script for generating documentation.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Various Windows vulnerabilities
No auth needed
Prerequisites: Access to the repository · Python environment for documentation generation
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.8
EPSS 0.6709
EPSS Percentile 98.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-28
VulnCheck KEV 2016-04-01
InTheWild.io 2022-03-28
ENISA EUVD EUVD-2011-1999
Status published
Products (2)
microsoft/windows_server_2003
microsoft/windows_xp (2 CPE variants)
Published Oct 12, 2011
KEV Added Mar 28, 2022
Tracked Since Feb 18, 2026