CVE-2015-2370

EXPLOITED

Windows RPC - Local Privilege Escalation via DCE/RPC Connection Reflection

Title source: llm

Exploitation Summary

CVE-2015-2370 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including monoxgas, Ascotbe.

AI-analyzed exploit summary This exploit leverages CVE-2015-2370 (MS15-076) to escalate privileges by copying a file to a privileged location via a symlink attack. It uses Microsoft.VisualStudio.OLE.Interop.dll and requires a cooldown period due to RPC limitations.

Description

The authentication implementation in the RPC subsystem in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not prevent DCE/RPC connection reflection, which allows local users to gain privileges via a crafted application, aka "Windows RPC Elevation of Privilege Vulnerability."

Exploits (2)

exploitdb WORKING POC

by monoxgas · textlocalwindows

https://www.exploit-db.com/exploits/37768

View Code ZIP pw:eip

This exploit leverages CVE-2015-2370 (MS15-076) to escalate privileges by copying a file to a privileged location via a symlink attack. It uses Microsoft.VisualStudio.OLE.Interop.dll and requires a cooldown period due to RPC limitations.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows 7/8.1 (x64/x86)

Auth required

Prerequisites: Microsoft.VisualStudio.OLE.Interop.dll in the same directory · Local access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 18, 2026 Full analysis →

patchapalooza WRITEUP

by Ascotbe · local

https://github.com/Ascotbe/Kernelhub

View Code ZIP pw:eip

This repository contains documentation and configuration scripts for a collection of Windows kernel exploits, including CVE-2003-0352, CVE-2006-3439, CVE-2008-1084, CVE-2008-3464, and CVE-2008-4037. It includes README files with technical details and a Python script for generating documentation.

Classification

Writeup 90%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: Windows Kernel

No auth needed

Prerequisites: access to vulnerable Windows system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1032907

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/37768/

Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-076

Scores

EPSS 0.0973

EPSS Percentile 93.1%

Details

VulnCheck KEV 2022-03-16

CWE

CWE-264

Status published

Products (12)

microsoft/windows_2003_server

microsoft/windows_2003_server r2 sp2

microsoft/windows_7

microsoft/windows_8

microsoft/windows_8.1

microsoft/windows_rt

microsoft/windows_rt_8.1

microsoft/windows_server_2008

microsoft/windows_server_2008 r2 sp1

microsoft/windows_server_2012

... and 2 more

Published Jul 14, 2015

Tracked Since Feb 18, 2026