CVE-2013-5065

HIGH KEV

Microsoft Windows XP/Server 2003 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2013-5065 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022. EIP tracks 4 public exploits from researchers including Metasploit, ryujin, Tomislav Paskalev.

AI-analyzed exploit summary This Metasploit module exploits a NULL pointer dereference vulnerability in the ndproxy.sys driver on Windows XP SP3 and Windows Server 2003 SP2. It leverages unsafe array indexing during IO control code processing to achieve local privilege escalation.

Description

NDProxy.sys in the kernel in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in November 2013.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/30392

This Metasploit module exploits a NULL pointer dereference vulnerability in the ndproxy.sys driver on Windows XP SP3 and Windows Server 2003 SP2. It leverages unsafe array indexing during IO control code processing to achieve local privilege escalation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows ndproxy.sys (Windows XP SP3, Windows Server 2003 SP2)
No auth needed
Prerequisites: Routing and Remote Access service must be running
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by ryujin · pythonlocalwindows
https://www.exploit-db.com/exploits/30014

This exploit leverages a null pointer dereference vulnerability in the Windows NDProxy driver (CVE-2013-5065) to achieve local privilege escalation (LPE) to SYSTEM. It allocates executable memory at the null page, writes shellcode, and triggers the vulnerability via a crafted DeviceIoControl call.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows NDProxy driver (Windows XP SP3 tested)
No auth needed
Prerequisites: Local access to a vulnerable Windows system · NDProxy driver loaded
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC
by Tomislav Paskalev · clocalwindows_x86
https://www.exploit-db.com/exploits/37732

This exploit leverages a vulnerability in NDProxy.sys (CVE-2013-5065) to achieve local privilege escalation on Windows XP SP3 and Windows 2003 SP2 by writing shellcode to a specific memory location and triggering it via DeviceIoControl.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows XP SP3 x86, Windows 2003 SP2 x86
Auth required
Prerequisites: Low privilege access · Routing and Remote Access service running · KB2914368 not installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by Friarfukd · poc
https://github.com/Friarfukd/RobbinHood

The repository contains only a README.md file with no technical details or exploit code. It appears to be a placeholder or stub for CVE-2013-5065.

Classification
Stub 10%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/37732/
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-002
Patch, Vendor Advisory x_refsource_confirm
http://technet.microsoft.com/security/advisory/2914486

Scores

CVSS v3 7.8
EPSS 0.7298
EPSS Percentile 98.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-03
VulnCheck KEV 2013-11-27
InTheWild.io 2018-10-12
ENISA EUVD EUVD-2013-4907
Status published
Products (2)
microsoft/windows_2003_server
microsoft/windows_xp (2 CPE variants)
Published Nov 28, 2013
KEV Added Mar 03, 2022
Tracked Since Feb 18, 2026