CVE-2015-1701

HIGH KEV RANSOMWARE

Microsoft Win32k - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2015-1701 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022, with confirmed use in ransomware campaigns. EIP tracks 10 public exploits from researchers including Metasploit, hfiref0x, OpenSISE, including a Metasploit module exploits/windows/local/ms15_051_client_copy_image.

AI-analyzed exploit summary This Metasploit module exploits a vulnerability in the win32k.sys kernel mode driver (CVE-2015-1701) to achieve local privilege escalation on Windows 7 and Windows Server 2008 R2 systems. It injects a reflective DLL into a target process (e.g., notepad.exe) to execute the exploit payload.

Description

Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka "Win32k Elevation of Privilege Vulnerability."

Exploits (10)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/37367

This Metasploit module exploits a vulnerability in the win32k.sys kernel mode driver (CVE-2015-1701) to achieve local privilege escalation on Windows 7 and Windows Server 2008 R2 systems. It injects a reflective DLL into a target process (e.g., notepad.exe) to execute the exploit payload.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1 (win32k.sys)
Auth required
Prerequisites: Local access to the target system · Non-admin user session · Metasploit framework
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by hfiref0x · textlocalwindows
https://www.exploit-db.com/exploits/37049

This exploit targets a Win32k local privilege escalation vulnerability (CVE-2015-1701) used in APT attacks. It includes compiled binaries and source code for both x86 and x64 architectures, demonstrating a functional exploit for escalating privileges on Windows systems.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (Win32k.sys)
No auth needed
Prerequisites: Local access to a vulnerable Windows system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 291 stars
by hfiref0x · local
https://github.com/hfiref0x/CVE-2015-1701

This is a working proof-of-concept exploit for CVE-2015-1701, a Win32k Elevation of Privilege Vulnerability. It leverages a hook in the _ClientCopyImage function to execute a token-stealing payload, elevating privileges to SYSTEM.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows (affected versions prior to MS15-051)
No auth needed
Prerequisites: Access to a vulnerable Windows system · Ability to execute arbitrary code on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github STUB 31 stars
by OpenSISE · cpoc
https://github.com/OpenSISE/CVE_PoC_Collect/tree/master/EoP/windows/CVE-2015-1701

The repository contains only a README with basic CVE information, references to external sources, and no actual exploit code or technical details. It lacks functional PoC or analysis.

Classification
Stub 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Windows (Win32k)
No auth needed
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WRITEUP
by Anonymous-Family · poc
https://github.com/Anonymous-Family/CVE-2015-1701

This repository contains a README file describing CVE-2015-1701, a Win32k Elevation of Privilege Vulnerability. It provides references to the original advisory, mitigation steps, and social media links but does not include exploit code or technical details.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Trivial
Reliability
Theoretical
Target: Microsoft Windows (Win32k.sys)
No auth needed
Prerequisites: Vulnerable version of Windows without MS15-051 patch
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by Anonymous-Family · poc
https://github.com/Anonymous-Family/CVE-2015-1701-download

The repository contains only a README.md file with minimal content, providing no exploit code or technical details for CVE-2015-1701. It appears to be a placeholder or incomplete submission.

Classification
Stub 10%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Unknown, hfirefox, OJ Reeves, Spencer McIntyre · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms15_051_client_copy_image.rb

This Metasploit module exploits a vulnerability in the win32k.sys kernel mode driver (CVE-2015-1701) to achieve local privilege escalation on vulnerable Windows systems. It uses reflective DLL injection to execute the exploit payload.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows 7, Windows Server 2008 R2, and other Windows versions with vulnerable win32k.sys
No auth needed
Prerequisites: Meterpreter session on the target system · Vulnerable version of win32k.sys
devstral-2 · analyzed Feb 19, 2026 Full analysis →
patchapalooza WORKING POC
by hfiref0x · poc
https://gitee.com/hfiref0x/CVE-2015-1701

This repository contains a functional exploit for CVE-2015-1701, a Win32k Elevation of Privilege Vulnerability. The exploit leverages a flaw in the Windows kernel to escalate privileges by manipulating process tokens.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows (affected versions prior to MS15-051)
No auth needed
Prerequisites: Access to a vulnerable Windows system · Ability to execute arbitrary code on the target system
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WRITEUP
by Ascotbe · local
https://github.com/Ascotbe/Kernelhub

This repository contains documentation and metadata generation scripts for a collection of Windows kernel exploits, including CVE-2003-0352, CVE-2006-3439, CVE-2008-1084, and others. It does not include functional exploit code for CVE-2015-1701 but provides structured documentation and tooling for managing exploit information.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Windows Kernel (various versions)
No auth needed
Prerequisites: Access to the repository · Python environment for script execution
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (9)

Core 9
Core References
Press/Media Coverage x_refsource_misc
http://twitter.com/symantec/statuses/590208710527549440
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/37049/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/74245
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-051
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/37367/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1032155
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/May/34

Scores

CVSS v3 7.8
EPSS 0.9043
EPSS Percentile 99.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-03
VulnCheck KEV 2015-04-18
InTheWild.io 2015-04-18
ENISA EUVD EUVD-2015-1831
Ransomware Use Confirmed
Status published
Products (5)
microsoft/windows_2003_server
microsoft/windows_2003_server r2 sp2
microsoft/windows_7
microsoft/windows_server_2008
microsoft/windows_vista
Published Apr 21, 2015
KEV Added Mar 03, 2022
Tracked Since Feb 18, 2026