CVE-2015-0096

EXPLOITED

Microsoft Windows Shell LNK Code Execution

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2015-0096 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including Ivanlef0u, Michael Heerklotz, juan vazquez, Uncredited, Yorick Koster, Spencer McIntyre, including a Metasploit module exploits/windows/smb/ms15_020_shortcut_icon_dllloader.

AI-analyzed exploit summary This exploit leverages a vulnerability in Windows Shell32.dll where a maliciously crafted .LNK file can trigger arbitrary code execution via LoadLibraryW. The PoC demonstrates the exploit by loading a DLL from a controlled path, as shown in the debug output.

Description

Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, leading to DLL loading during Windows Explorer access to the icon of a crafted shortcut, aka "DLL Planting Remote Code Execution Vulnerability."

Exploits (5)

exploitdb WORKING POC VERIFIED
by Ivanlef0u · textlocalwindows
https://www.exploit-db.com/exploits/14403

This exploit leverages a vulnerability in Windows Shell32.dll where a maliciously crafted .LNK file can trigger arbitrary code execution via LoadLibraryW. The PoC demonstrates the exploit by loading a DLL from a controlled path, as shown in the debug output.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (tested on XP SP3)
No auth needed
Prerequisites: Victim interaction to open the .LNK file · Write access to the target filesystem
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Michael Heerklotz, juan vazquez · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms15_020_shortcut_icon_dllloader.rb

This Metasploit module exploits CVE-2015-0096 by generating a malicious .LNK file that loads a DLL from an SMB share, achieving remote code execution. It leverages a vulnerability in the MS10-046 patch to abuse Windows Shortcut file handling.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (tested on Windows 2003 SP2 and Windows 2008 SP2)
No auth needed
Prerequisites: SMB share access · Target user interaction to open the .LNK file
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC GREAT
by Uncredited, Yorick Koster, Spencer McIntyre · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb

This Metasploit module exploits CVE-2017-8464, a variant of CVE-2015-0096, by creating a malicious .LNK file that loads a DLL from a crafted Control Panel applet, achieving local privilege escalation on Windows systems.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows (x86/x64)
Auth required
Prerequisites: Write access to a directory indexed by Windows Search · Non-admin session
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC GREAT
by Uncredited, Yorick Koster, Spencer McIntyre · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb

This Metasploit module exploits CVE-2017-8464, a vulnerability in Windows LNK file handling, by generating a malicious .LNK file that loads a DLL from a specified path, achieving remote code execution. It bypasses the CPL whitelist by using a SpecialFolderDataBlock with a Control Panel folder ID.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (multiple versions)
No auth needed
Prerequisites: Ability to deliver the malicious .LNK and DLL files to the target system (e.g., via USB drive or network share)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Michael Heerklotz, juan vazquez · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb

This Metasploit module exploits CVE-2015-0096 by generating a malicious .LNK file and a DLL payload to achieve remote code execution via improper handling of Windows Shortcut files. It leverages a vulnerability in the MS10-046 patch to load a malicious DLL from a UNC path.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (tested on Windows 2003 SP2 and Windows 2008 SP2)
No auth needed
Prerequisites: Access to a UNC path accessible by the target · Target system must have MS10-046 or MS14-027 patches applied
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1031890
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-020
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/72894

Scores

EPSS 0.7125
EPSS Percentile 99.3%

Details

VulnCheck KEV 2021-12-15
CWE
CWE-426
Status published
Products (11)
microsoft/windows_7
microsoft/windows_8
microsoft/windows_8.1
microsoft/windows_rt
microsoft/windows_rt_8.1
microsoft/windows_server_2003
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1 (2 CPE variants)
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
... and 1 more
Published Mar 11, 2015
Tracked Since Feb 18, 2026