CVE-2016-0051

HIGH EXPLOITED

Microsoft Windows - Local Privilege Escalation via WebDAV Client

Title source: llm

Exploitation Summary

CVE-2016-0051 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 9 public exploits from researchers including Metasploit, hex0r, koczkatamas, including a Metasploit module exploits/windows/local/ms16_016_webdav.

AI-analyzed exploit summary This Metasploit module exploits CVE-2016-0051, a local privilege escalation vulnerability in mrxdav.sys (WebDav) on Windows 7 SP1. It injects a reflective DLL into a process (e.g., notepad.exe) to elevate privileges to NT AUTHORITY\SYSTEM.

Description

The WebDAV client in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "WebDAV Elevation of Privilege Vulnerability."

Exploits (9)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocalwindows

https://www.exploit-db.com/exploits/40085

View Code ZIP pw:eip

This Metasploit module exploits CVE-2016-0051, a local privilege escalation vulnerability in mrxdav.sys (WebDav) on Windows 7 SP1. It injects a reflective DLL into a process (e.g., notepad.exe) to elevate privileges to NT AUTHORITY\SYSTEM.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows 7 SP1 (mrxdav.sys)

Auth required

Prerequisites: Local access to a vulnerable Windows 7 SP1 system · Non-admin session

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1106 - Native API

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb SUSPICIOUS VERIFIED

by hex0r · textlocalwindows

https://www.exploit-db.com/exploits/39788

View Code ZIP pw:eip

The provided ExploitDB entry lacks actual exploit code and instead directs users to external downloads (GitHub, GitLab) for the PoC. It references another exploit (39432) but does not include functional code or technical details.

Classification

Suspicious 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Theoretical

Target: WebDAV on Windows 7 x86

No auth needed

Prerequisites: Access to the target machine to copy and execute the exploit

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by koczkatamas · clocalwindows_x86

https://www.exploit-db.com/exploits/39432

View Code ZIP pw:eip

This exploit leverages CVE-2016-0051 (MS16-016) to achieve local privilege escalation (LPE) on Windows 7 SP1 x86 by abusing a WebDAV server to trigger a kernel vulnerability. The PoC includes a fake WebDAV server and WinAPI calls to exploit the flaw.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows 7 SP1 x86 (build 7601)

No auth needed

Prerequisites: Local access to the target system · Windows 7 SP1 x86 environment

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1211 - Exploitation for Defense Evasion

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 325 stars

by koczkatamas · local

https://github.com/koczkatamas/CVE-2016-0051

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2016-0051, demonstrating both a BSoD (Denial of Service) and an Elevation of Privilege (EoP) exploit. The code leverages a WebDAV server to trigger the vulnerability in Windows systems.

Classification

Working Poc 95%

Attack Type

Lpe | Dos

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows 7 SP1 x86 (build 7601)

No auth needed

Prerequisites: Windows 7 SP1 x86 (build 7601) · Local access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 42 stars

by hexx0r · poc

https://github.com/hexx0r/CVE-2016-0051

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2016-0051, demonstrating a local privilege escalation (LPE) vulnerability in Windows 7. The exploit includes compiled binaries and source code to achieve SYSTEM privileges via a BSoD and shell spawning mechanism.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows 7

Auth required

Prerequisites: Local access to a Windows 7 system · Compiled binaries (EoP.exe and Shellcode.dll)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec STUB

by ganrann · poc

https://github.com/ganrann/CVE-2016-0051

View Code ZIP pw:eip

The repository contains only a minimal README with no technical details or exploit code. It appears to be a placeholder or stub with no substantive content related to CVE-2016-0051.

Classification

Stub 100%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Tamas Koczka · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms16_016_webdav.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2016-0051, a local privilege escalation vulnerability in mrxdav.sys on Windows 7 SP1. It spawns a process, reflectively injects a payload DLL, and elevates privileges to NT AUTHORITY\SYSTEM.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 7 SP1 (mrxdav.sys)

Auth required

Prerequisites: Local access to the target system · Meterpreter session

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1106 - Native API

devstral-2 · analyzed Feb 19, 2026 Full analysis →

patchapalooza WORKING POC

by mirrors_koczkatamas · poc

https://gitee.com/mirrors_koczkatamas/CVE-2016-0051

View Code ZIP pw:eip

This repository contains functional proof-of-concept code for CVE-2016-0051, demonstrating both a Blue Screen of Death (BSoD) and an Elevation of Privilege (EoP) to SYSTEM on vulnerable Windows systems. The exploit leverages a WebDAV server to trigger the vulnerability, with specific implementations for Windows 7 SP1 x86 and Windows 10 x64.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows (Windows 7 SP1 x86, Windows 10 x64)

No auth needed

Prerequisites: Unpatched Windows system (pre-MS16-016) · Network access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 23, 2026 Full analysis →

patchapalooza NO CODE

by Ascotbe · local

https://github.com/Ascotbe/Kernelhub

View Code ZIP pw:eip

References (5)

Core 5

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1034980

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/40085/

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/39788/

Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-016

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/39432/

Scores

CVSS v3 7.8

EPSS 0.6612

EPSS Percentile 98.5%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2019-03-06

CWE

CWE-264

Status published

Products (10)

microsoft/windows_10

microsoft/windows_10 1511

microsoft/windows_7

microsoft/windows_8.1

microsoft/windows_rt_8.1

microsoft/windows_server_2008

microsoft/windows_server_2008 r2 sp1

microsoft/windows_server_2012

microsoft/windows_server_2012 r2

microsoft/windows_vista

Published Feb 10, 2016

Tracked Since Feb 18, 2026