CVE-2015-2291

HIGH KEV RANSOMWARE

Intel Ethernet Diagnostics Driver IQVW32.sys and IQVW64.sys < 1.3.1.0 - Denial of Service via IOCTL Call

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2015-2291 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 10, 2023, with confirmed use in ransomware campaigns. EIP tracks 5 public exploits from researchers including Glafkos Charalambous, Tare05, gmh5225.

AI-analyzed exploit summary This exploit demonstrates a vulnerability in Intel Network Adapter Diagnostic Driver (iqvw32.sys/iqvw64e.sys) where insufficient input validation in IOCTL handling leads to a SYSTEM_SERVICE_EXCEPTION (0x3B) bugcheck. The PoC triggers a crash by sending malformed IOCTL requests (e.g., 0x80862013) with invalid memory addresses (0xDEADBEEF), proving arbitrary memory access and potential for privilege escalation.

Description

(1) IQVW32.sys before 1.3.1.0 and (2) IQVW64.sys before 1.3.1.0 in the Intel Ethernet diagnostics driver for Windows allows local users to cause a denial of service or possibly execute arbitrary code with kernel privileges via a crafted (a) 0x80862013, (b) 0x8086200B, (c) 0x8086200F, or (d) 0x80862007 IOCTL call.

Exploits (5)

exploitdb WORKING POC
by Glafkos Charalambous · textdoswindows
https://www.exploit-db.com/exploits/36392

This exploit demonstrates a vulnerability in Intel Network Adapter Diagnostic Driver (iqvw32.sys/iqvw64e.sys) where insufficient input validation in IOCTL handling leads to a SYSTEM_SERVICE_EXCEPTION (0x3B) bugcheck. The PoC triggers a crash by sending malformed IOCTL requests (e.g., 0x80862013) with invalid memory addresses (0xDEADBEEF), proving arbitrary memory access and potential for privilege escalation.

Classification
Working Poc 90%
Attack Type
Dos | Lpe
Complexity
Moderate
Reliability
Reliable
Target: Intel Network Adapter Driver (iqvw32.sys v1.03.0.7, iqvw64e.sys v1.03.0.7)
No auth needed
Prerequisites: Access to a vulnerable Windows system with the affected Intel driver installed · Ability to send IOCTL requests to the driver
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by Tare05 · poc
https://github.com/Tare05/Intel-CVE-2015-2291

This PoC exploits CVE-2015-2291, a vulnerability in Intel drivers, to achieve arbitrary kernel memory overwrite and execute arbitrary code in the kernel. It includes functionality for physical to virtual address translation and mapping physical memory.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Intel driver (specific version not specified)
No auth needed
Prerequisites: Access to the vulnerable Intel driver
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by gmh5225 · local
https://github.com/gmh5225/CVE-2015-2291

This repository contains a proof-of-concept exploit for CVE-2015-2291, targeting the Intel Ethernet diagnostics driver (IQVW32.sys/IQVW64.sys) on Windows 7 and 10. The exploit leverages IOCTL calls to trigger arbitrary kernel code execution via uncontrolled `memset` and `memmove` operations.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Intel Ethernet diagnostics driver (IQVW32.sys/IQVW64.sys) before 1.3.1.0
No auth needed
Prerequisites: Local access to the target system · Vulnerable driver loaded (IQVW32.sys/IQVW64.sys)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by ethanedits · local
https://github.com/ethanedits/iqvw64e-privilege-escalation

This repository contains a functional proof-of-concept exploit for CVE-2015-2291, a local privilege escalation vulnerability in the Intel Ethernet diagnostics driver (iqvw64e.sys). The exploit leverages an arbitrary memory read/write primitive via a vulnerable IOCTL handler to replace the current process token with the SYSTEM token.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Intel Ethernet diagnostics driver (iqvw64e.sys) on Windows 10 x64 22H2 (19045.6466)
No auth needed
Prerequisites: Presence of vulnerable driver (iqvw64e.sys) · Local access to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 1 stars
by paysonism · poc
https://github.com/paysonism/CVE-2015-2291-Spoofer-Analysis

This repository provides an analysis and reverse engineering overview of the CVE-2015-2291 exploit targeting the Intel Ethernet Diagnostics Driver (iQVW32.sys) for memory manipulation, specifically for HWID spoofing. It includes compiled IDA Professional 9.1 files and a writeup.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Theoretical
Target: Intel Ethernet Diagnostics Driver (iQVW32.sys)
No auth needed
Prerequisites: Access to vulnerable Intel Ethernet Diagnostics Driver · IDA Professional 9.1 for analysis
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/36392/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/79623

Scores

CVSS v3 7.8
EPSS 0.0561
EPSS Percentile 90.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2023-02-10
VulnCheck KEV 2023-01-10
InTheWild.io 2023-02-10
ENISA EUVD EUVD-2015-2389
Ransomware Use Confirmed
CWE
CWE-20
Status published
Products (2)
intel/ethernet_diagnostics_driver_iqvw32.sys 1.03.0.7
intel/ethernet_diagnostics_driver_iqvw64.sys 1.03.0.7
Published Aug 09, 2017
KEV Added Feb 10, 2023
Tracked Since Feb 18, 2026