CVE-2015-2546

HIGH KEV RANSOMWARE

Microsoft Windows - Local Privilege Escalation via Win32k Memory Corruption

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2015-2546 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 15, 2022, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including k0keoyo, AmazingOut, Ascotbe.

AI-analyzed exploit summary This is a working exploit for CVE-2015-2546, a Windows kernel vulnerability that allows local privilege escalation by manipulating window station handles to achieve arbitrary memory writes. The exploit includes shellcode to steal the SYSTEM token for privilege escalation.

Description

The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows local users to gain privileges via a crafted application, aka "Win32k Memory Corruption Elevation of Privilege Vulnerability," a different vulnerability than CVE-2015-2511, CVE-2015-2517, and CVE-2015-2518.

Exploits (3)

nomisec WORKING POC 22 stars
by k0keoyo · local
https://github.com/k0keoyo/CVE-2015-2546-Exploit

This is a working exploit for CVE-2015-2546, a Windows kernel vulnerability that allows local privilege escalation by manipulating window station handles to achieve arbitrary memory writes. The exploit includes shellcode to steal the SYSTEM token for privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows (affects Windows 7 and earlier)
Auth required
Prerequisites: Local access to the target system · Ability to execute arbitrary code
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by AmazingOut · cpoc
https://github.com/AmazingOut/CVE_POC/tree/main/CVE-2015-2546

This repository contains a functional exploit for CVE-2015-2546, a Windows kernel privilege escalation vulnerability. The exploit leverages heap manipulation and token replacement to escalate privileges to SYSTEM.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows (affected versions include Windows 7, Windows Server 2008 R2)
Auth required
Prerequisites: Local access to the target system · Ability to execute arbitrary code
devstral-2 · analyzed Feb 27, 2026 Full analysis →
patchapalooza NO CODE
by Ascotbe · local
https://github.com/Ascotbe/Kernelhub

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1033485
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-097
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/76608

Scores

CVSS v3 8.2
EPSS 0.4056
EPSS Percentile 97.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-15
VulnCheck KEV 2015-09-08
InTheWild.io 2015-09-08
ENISA EUVD EUVD-2015-2639
Ransomware Use Confirmed
CWE
CWE-119
Status published
Products (11)
microsoft/windows_10_1507
microsoft/windows_7
microsoft/windows_8
microsoft/windows_8.1
microsoft/windows_rt
microsoft/windows_rt_8.1
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1 (2 CPE variants)
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
... and 1 more
Published Sep 09, 2015
KEV Added Mar 15, 2022
Tracked Since Feb 18, 2026