CVE-2015-5736

Exploitation Summary

EIP tracks 4 public exploits for CVE-2015-5736. PoCs published by sickness & mschenk, sickness, avielzecharia.

AI-analyzed exploit summary This exploit targets CVE-2015-5736, a privilege escalation vulnerability in FortiShield.sys. It leverages memory leaks and ROP chains to achieve arbitrary code execution in kernel mode, ultimately spawning a command prompt with elevated privileges.

Description

The Fortishield.sys driver in Fortinet FortiClient before 5.2.4 allows local users to execute arbitrary code with kernel privileges by setting the callback function in a (1) 0x220024 or (2) 0x220028 ioctl call.

Exploits (4)

exploitdb WORKING POC VERIFIED

by sickness & mschenk · c++localwindows_x86-64

https://www.exploit-db.com/exploits/45149

View Code ZIP pw:eip

This exploit targets CVE-2015-5736, a privilege escalation vulnerability in FortiShield.sys. It leverages memory leaks and ROP chains to achieve arbitrary code execution in kernel mode, ultimately spawning a command prompt with elevated privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: FortiShield.sys (Fortinet FortiClient)

No auth needed

Prerequisites: Access to the vulnerable system · Presence of FortiShield.sys driver · Ability to interact with the driver via DeviceIoControl

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by sickness · clocalwindows_x86-64

https://www.exploit-db.com/exploits/41721

View Code ZIP pw:eip

This exploit leverages a vulnerability in FortiShield.sys to bypass SMEP (Supervisor Mode Execution Prevention) by manipulating PTE (Page Table Entries) and executing a token-stealing payload for local privilege escalation on Windows 10 Pro x64 (Pre-Anniversary).

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: FortiShield.sys 5.2.3.633 on Windows 10 Pro x64 (Pre-Anniversary)

No auth needed

Prerequisites: Presence of vulnerable FortiShield.sys driver · Local access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by sickness · clocalwindows_x86-64

https://www.exploit-db.com/exploits/41722

View Code ZIP pw:eip

This exploit leverages a use-after-free vulnerability in the Windows kernel (CVE-2015-5736) to achieve local privilege escalation by manipulating bitmap objects and accelerator tables to corrupt kernel memory. It includes a ROP chain to bypass SMEP and execute arbitrary code in kernel mode.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows 10 Pro x64 (Post-Anniversary) with FortiShield.sys 5.2.3.633

No auth needed

Prerequisites: Windows 10 Pro x64 (Post-Anniversary) · FortiShield.sys 5.2.3.633 · Local access to the system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by avielzecharia · poc

https://github.com/avielzecharia/CVE-2015-5736

View Code ZIP pw:eip

This PoC exploits CVE-2015-5736 in FortiShield.sys using ROP chains, PreviousMode overwrite, and token stealing to achieve local privilege escalation. It leverages a race condition in MoveFileEx and arbitrary read/write primitives to manipulate kernel memory.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: FortiShield.sys (Fortinet FortiShield)

No auth needed

Prerequisites: Windows system with FortiShield.sys driver loaded · Local access to the target system

MITRE ATT&CK