CVE-2013-3956

EXPLOITED

Novell Client - Local Privilege Escalation via NICM.SYS IOCTL 0x143B6B

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2013-3956 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including sickness, Metasploit, Unknown, juan vazquez, including a Metasploit module exploits/windows/local/novell_client_nicm.

AI-analyzed exploit summary This exploit targets a privilege escalation vulnerability in Novell Client 2 SP3 (nicm.sys 3.1.11.0) on Windows 7 and 8 (x86). It leverages a vulnerable IOCTL (0x00143B6B) to execute shellcode that steals the SYSTEM token, granting elevated privileges.

Description

The NICM.SYS kernel driver 3.1.11.0 in Novell Client 4.91 SP5 on Windows XP and Windows Server 2003; Novell Client 2 SP2 on Windows Vista and Windows Server 2008; and Novell Client 2 SP3 on Windows Server 2008 R2, Windows 7, Windows 8, and Windows Server 2012 allows local users to gain privileges via a crafted 0x143B6B IOCTL call.

Exploits (3)

exploitdb WORKING POC VERIFIED
by sickness · pythonlocalwindows
https://www.exploit-db.com/exploits/27191

This exploit targets a privilege escalation vulnerability in Novell Client 2 SP3 (nicm.sys 3.1.11.0) on Windows 7 and 8 (x86). It leverages a vulnerable IOCTL (0x00143B6B) to execute shellcode that steals the SYSTEM token, granting elevated privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Novell Client 2 SP3 (nicm.sys 3.1.11.0)
No auth needed
Prerequisites: Windows 7 or 8 (x86) · Novell Client 2 SP3 installed · Local access to the system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows_x86
https://www.exploit-db.com/exploits/26452

This Metasploit module exploits a flaw in the nicm.sys driver (CVE-2013-3956) to execute arbitrary code in kernel space via an ioctl request with code 0x143B6B, allowing local privilege escalation on Windows 7 SP1 with Novell Client 2 SP3.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Novell Client 2 SP3 (nicm.sys v3.1.5)
No auth needed
Prerequisites: Local access to a vulnerable system · Novell Client 2 SP3 installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Unknown, juan vazquez · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/novell_client_nicm.rb

This Metasploit module exploits a flaw in the Novell Client 2 SP3 nicm.sys driver to execute arbitrary code in kernel space via a user-provided pointer used as a function pointer in ioctl requests. It includes token-stealing shellcode for local privilege escalation on Windows 7 SP1.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Novell Client 2 SP3 (nicm.sys v3.1.5)
No auth needed
Prerequisites: Windows 7 SP1 with Novell Client 2 SP3 installed · Local access to the system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/26452
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/27191
Exploit x_refsource_misc
http://pastebin.com/GB4iiEwR
Vendor Advisory x_refsource_confirm
http://www.novell.com/support/kb/doc.php?id=7012497

Scores

EPSS 0.0215
EPSS Percentile 84.7%

Details

VulnCheck KEV 2021-12-13
CWE
CWE-264
Status published
Products (2)
novell/client 4.91 sp5
novell/client 2.0 sp2 (2 CPE variants)
Published Jul 31, 2013
Tracked Since Feb 18, 2026