CVE-2015-0002

Microsoft Windows - Privilege Escalation via AhcVerifyAdminContext Impersonation Token Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2015-0002. PoCs published by Google Security Research, James Forshaw, sinn3r, including Metasploit module exploits/windows/local/ntapphelpcachecontrol.

AI-analyzed exploit summary The writeup details a local privilege escalation vulnerability in Windows 8.1 via NtApphelpCacheControl, where impersonation token checks are bypassed to manipulate the AppCompat cache. The PoC abuses the BITS service to gain an impersonation token and forces a UAC auto-elevate executable to load a malicious DLL.

Description

The AhcVerifyAdminContext function in ahcache.sys in the Application Compatibility component in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not verify that an impersonation token is associated with an administrative account, which allows local users to gain privileges by running AppCompatCache.exe with a crafted DLL file, aka MSRC ID 20544 or "Microsoft Application Compatibility Infrastructure Elevation of Privilege Vulnerability."

Exploits (2)

exploitdb WRITEUP VERIFIED
by Google Security Research · textlocalwindows
https://www.exploit-db.com/exploits/35661

The writeup details a local privilege escalation vulnerability in Windows 8.1 via NtApphelpCacheControl, where impersonation token checks are bypassed to manipulate the AppCompat cache. The PoC abuses the BITS service to gain an impersonation token and forces a UAC auto-elevate executable to load a malicious DLL.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Windows 8.1 Update (32/64 bit)
Auth required
Prerequisites: UAC enabled · Split-token admin user · Default UAC settings
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC NORMAL
by James Forshaw, sinn3r · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ntapphelpcachecontrol.rb

This Metasploit module exploits CVE-2015-0002, a local privilege escalation vulnerability in Windows 8/8.1 due to improper authorization checks in NtApphelpCacheControl. It bypasses admin checks by impersonating a system token and injects a payload DLL to achieve elevated privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 8 and 8.1
Auth required
Prerequisites: Local access to the target system · Access to C:\Windows\System\ComputerDefaults.exe · A valid user session
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/99523
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/71972
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/99524
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61277

Scores

EPSS 0.1380
EPSS Percentile 96.0%

Details

CWE
CWE-264
Status published
Products (8)
microsoft/windows_7
microsoft/windows_8
microsoft/windows_8.1
microsoft/windows_rt
microsoft/windows_rt_8.1
microsoft/windows_server_2008 r2 sp1
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
Published Jan 13, 2015
Tracked Since Feb 18, 2026