CVE-2015-0009

Microsoft Windows Group Policy - Security Feature Bypass via Spoofed Domain-Controller Responses

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2015-0009. PoCs published by Thomas Zuk, PhoenixC46.

AI-analyzed exploit summary This exploit bypasses Group Policy security settings by corrupting GPO updates via ARP spoofing and packet manipulation, reverting SMB signing requirements to default. It leverages NetSed to modify traffic and requires MITM positioning.

Description

The Group Policy Security Configuration policy implementation in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows man-in-the-middle attackers to disable a signing requirement and trigger a revert-to-default action by spoofing domain-controller responses, aka "Group Policy Security Feature Bypass Vulnerability."

Exploits (2)

exploitdb WORKING POC
by Thomas Zuk · pythonremotewindows
https://www.exploit-db.com/exploits/47559

This exploit bypasses Group Policy security settings by corrupting GPO updates via ARP spoofing and packet manipulation, reverting SMB signing requirements to default. It leverages NetSed to modify traffic and requires MITM positioning.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Server 2012 and earlier versions
No auth needed
Prerequisites: Network access to target and domain controller · ARP spoofing capability · NetSed and iptables for traffic manipulation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by PhoenixC46 · poc
https://github.com/PhoenixC46/ExploitPOC_MS15-014_CVE-2015-0009

This PoC exploits CVE-2015-0009 (MS15-014) by manipulating SMB traffic to disable SMB signing requirements on a target machine. It uses ARP spoofing and packet corruption via NetSed to trigger the vulnerability.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Windows Group Policy (SMB signing bypass)
No auth needed
Prerequisites: Network access to target · ARP spoofing capability · NetSed installed · Linux environment for iptables
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-014
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/72476
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1031722

Scores

EPSS 0.0807
EPSS Percentile 94.1%

Details

CWE
CWE-254
Status published
Products (11)
microsoft/windows_7
microsoft/windows_8
microsoft/windows_8.1
microsoft/windows_rt
microsoft/windows_rt_8.1
microsoft/windows_server_2003
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1 (2 CPE variants)
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
... and 1 more
Published Feb 11, 2015
Tracked Since Feb 18, 2026