CVE-2015-0008

Microsoft Windows - Remote Code Execution via UNC Share Authentication Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-0008. PoCs published by Thomas Zuk.

AI-analyzed exploit summary This exploit leverages CVE-2015-0008 to achieve remote code execution on vulnerable Windows systems by manipulating Group Policy registry keys via ARP spoofing and a malicious SMB server. It uses Metasploit to generate a reverse shell payload and modifies registry entries to disable SMB signing and execute arbitrary DLLs.

Description

The UNC implementation in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not include authentication from the server to the client, which allows remote attackers to execute arbitrary code by making crafted data available on a UNC share, as demonstrated by Group Policy data from a spoofed domain controller, aka "Group Policy Remote Code Execution Vulnerability."

Exploits (1)

exploitdb WORKING POC
by Thomas Zuk · pythonremotewindows
https://www.exploit-db.com/exploits/47558

This exploit leverages CVE-2015-0008 to achieve remote code execution on vulnerable Windows systems by manipulating Group Policy registry keys via ARP spoofing and a malicious SMB server. It uses Metasploit to generate a reverse shell payload and modifies registry entries to disable SMB signing and execute arbitrary DLLs.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1
No auth needed
Prerequisites: Network access to target and domain controller · ARP spoofing capability · Metasploit for payload generation · KarmaSMB for SMB server setup
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-011
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/787252
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/100426
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1031719
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/72477

Scores

EPSS 0.2858
EPSS Percentile 97.9%

Details

CWE
CWE-284
Status published
Products (11)
microsoft/windows_7
microsoft/windows_8
microsoft/windows_8.1
microsoft/windows_rt
microsoft/windows_rt_8.1
microsoft/windows_server_2003
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1 (2 CPE variants)
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
... and 1 more
Published Feb 11, 2015
Tracked Since Feb 18, 2026