CVE-2015-0010

Microsoft Windows - CryptProtectMemory Security Feature Bypass via Impersonation Token

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-0010.

AI-analyzed exploit summary This exploit leverages a Windows kernel vulnerability (CVE-2015-0010) to achieve local privilege escalation by manipulating the WM_SYSTIMER message handling mechanism. It replaces the primary token of the current process with that of the SYSTEM process, effectively granting administrative privileges.

Description

The CryptProtectMemory function in cng.sys (aka the Cryptography Next Generation driver) in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1, when the CRYPTPROTECTMEMORY_SAME_LOGON option is used, does not check an impersonation token's level, which allows local users to bypass intended decryption restrictions by leveraging a service that (1) has a named-pipe planting vulnerability or (2) uses world-readable shared memory for encrypted data, aka "CNG Security Feature Bypass Vulnerability" or MSRC ID 20707.

Exploits (1)

exploitdb WORKING POC

localwindows

https://www.exploit-db.com/exploits/37098

View Code ZIP pw:eip

This exploit leverages a Windows kernel vulnerability (CVE-2015-0010) to achieve local privilege escalation by manipulating the WM_SYSTIMER message handling mechanism. It replaces the primary token of the current process with that of the SYSTEM process, effectively granting administrative privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows XP/2K3/VISTA/2K8/7 (x86/x64)

No auth needed

Prerequisites: Local access to the target system · Vulnerable Windows kernel version

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-010

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/72461

Exploit, Mailing List, Third Party Advisory x_refsource_misc

http://code.google.com/p/google-security-research/issues/detail?id=128

Scores

EPSS 0.0265

EPSS Percentile 83.7%

Details

CWE

CWE-310

Status published

Products (11)

microsoft/windows_7

microsoft/windows_8

microsoft/windows_8.1

microsoft/windows_rt

microsoft/windows_rt_8.1

microsoft/windows_server_2003

microsoft/windows_server_2008

microsoft/windows_server_2008 r2 sp1 (2 CPE variants)

microsoft/windows_server_2012

microsoft/windows_server_2012 r2

... and 1 more

Published Feb 11, 2015

Tracked Since Feb 18, 2026