CVE-2013-3660

HIGH KEV RANSOMWARE

Windows - Local Privilege Escalation via EPATHOBJ::pprFlattenRec Pointer Initialization

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2013-3660 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 28, 2022, with confirmed use in ransomware campaigns. EIP tracks 5 public exploits from researchers including Tavis Ormandy, ExploitCN, including a Metasploit module exploits/windows/local/ppr_flatten_rec.

AI-analyzed exploit summary This exploit leverages a race condition in the Windows kernel's EPATHOBJ::bFlatten function to achieve arbitrary memory writes, leading to a SYSTEM privilege escalation. The PoC uses a watchdog thread to patch a compromised linked list while the kernel is stuck in a loop, demonstrating a reliable LPE on Windows 8.

Description

The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012 does not properly initialize a pointer for the next object in a certain list, which allows local users to obtain write access to the PATHRECORD chain, and consequently gain privileges, by triggering excessive consumption of paged memory and then making many FlattenPath function calls, aka "Win32k Read AV Vulnerability."

Exploits (5)

exploitdb WORKING POC VERIFIED
by Tavis Ormandy · textdoswindows
https://www.exploit-db.com/exploits/25611

This exploit leverages a race condition in the Windows kernel's EPATHOBJ::bFlatten function to achieve arbitrary memory writes, leading to a SYSTEM privilege escalation. The PoC uses a watchdog thread to patch a compromised linked list while the kernel is stuck in a loop, demonstrating a reliable LPE on Windows 8.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows (win32k.sys)
No auth needed
Prerequisites: Access to a vulnerable Windows system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC
clocalwindows
https://www.exploit-db.com/exploits/25912

This exploit targets a memory corruption vulnerability in the Windows kernel (win32k.sys) via the EPATHOBJ::pprFlattenRec function, allowing local privilege escalation by manipulating PATHRECORD structures through crafted PolyDraw operations.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows (NT/2K/XP/2K3/VISTA/2K8/7/8)
No auth needed
Prerequisites: Local access to the target system · Ability to execute arbitrary code in user mode
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
rubylocalwindows
https://www.exploit-db.com/exploits/26554

This Metasploit module exploits a local privilege escalation vulnerability in Windows (CVE-2013-3660) by corrupting memory via uninitialized data in EPATHOBJ::pprFlattenRec. It migrates to a new process, loads an exploit DLL, and escalates privileges to SYSTEM.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows XP SP3, Windows 2003 SP1, Windows 7 SP1
No auth needed
Prerequisites: Local access to the target system · 32-bit Windows OS
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC NORMAL
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ppr_flatten_rec.rb

This Metasploit module exploits a memory corruption vulnerability in EPATHOBJ::pprFlattenRec due to uninitialized data usage, allowing local privilege escalation on vulnerable Windows systems. It checks the target system's win32k.sys version for vulnerability and reflectively injects a DLL payload to trigger the exploit.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows XP SP3, Windows 2003 SP1, Windows 7 SP1 (win32k.sys)
Auth required
Prerequisites: Local access to the target system · Meterpreter session · Vulnerable win32k.sys version
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (15)

Core 15
Core References
Broken Link mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2013-05/0094.html
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/25611/
Broken Link mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2013-05/0090.html
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/53435
Broken Link vdb-entry x_refsource_osvdb
http://www.osvdb.org/93539
Broken Link x_refsource_misc
http://www.computerworld.com/s/article/9239477
Broken Link mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0006.html
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/ncas/alerts/TA13-190A
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-053

Scores

CVSS v3 7.8
EPSS 0.7063
EPSS Percentile 98.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-28
VulnCheck KEV 2015-01-06
InTheWild.io 2022-03-28
ENISA EUVD EUVD-2013-3593
Ransomware Use Confirmed
CWE
CWE-119
Status published
Products (9)
microsoft/windows_7
microsoft/windows_8
microsoft/windows_rt
microsoft/windows_server_2003
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1
microsoft/windows_server_2012
microsoft/windows_vista
microsoft/windows_xp (2 CPE variants)
Published May 24, 2013
KEV Added Mar 28, 2022
Tracked Since Feb 18, 2026