CVE-2016-0099

HIGH KEV RANSOMWARE

MS16-032 Secondary Logon Handle Privilege Escalation

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2016-0099 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022, with confirmed use in ransomware campaigns. EIP tracks 7 public exploits from researchers including Metasploit, fdiskyou, b33f, including a Metasploit module exploits/windows/local/ms16_032_secondary_logon_handle_privesc.

AI-analyzed exploit summary This Metasploit module exploits CVE-2016-0099, a privilege escalation vulnerability in Windows Secondary Logon Service due to improper handle sanitization. It leverages PowerShell to execute a payload and elevate privileges on affected Windows systems (7-10, 2k8-2k12).

Description

The Secondary Logon Service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 does not properly process request handles, which allows local users to gain privileges via a crafted application, aka "Secondary Logon Elevation of Privilege Vulnerability."

Exploits (7)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/40107

This Metasploit module exploits CVE-2016-0099, a privilege escalation vulnerability in Windows Secondary Logon Service due to improper handle sanitization. It leverages PowerShell to execute a payload and elevate privileges on affected Windows systems (7-10, 2k8-2k12).

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Secondary Logon Service (Windows 7-10, 2k8-2k12)
Auth required
Prerequisites: Windows system with PowerShell 2.0 or later · Multi-core CPU · Local access with non-admin privileges
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by fdiskyou · localwindows
https://www.exploit-db.com/exploits/39809

This is a C# implementation of a local privilege escalation exploit for CVE-2016-0099 (MS16-032), targeting Windows 7-10 and Server 2008-2012. It leverages PowerShell runspace to bypass execution restrictions and escalate privileges via a secondary logon token manipulation vulnerability.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 7-10 & Server 2008-2012
Auth required
Prerequisites: Local access to a vulnerable Windows system · System.Management.Automation.dll for compilation
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by b33f · powershelllocalwindows
https://www.exploit-db.com/exploits/39719

This PowerShell script exploits CVE-2016-0099 (MS16-032), a local privilege escalation vulnerability in Windows. It leverages a race condition in the Secondary Logon Service to impersonate a SYSTEM token, granting elevated privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Windows 7-10, Windows Server 2008-2012
Auth required
Prerequisites: Multi-core CPU · PowerShell v2+ · Local user access
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Google Security Research · localwindows_x86
https://www.exploit-db.com/exploits/39574

This exploit leverages CVE-2026-0099 to escalate privileges to Local System by duplicating a thread handle from the Secondary Logon service into a user process. It uses CreateProcessWithLogonW with LOGON_NETCREDENTIALS_ONLY to bypass authentication requirements and then manipulates thread tokens to achieve elevation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows 8.1, Windows 10 (Secondary Logon Service)
Auth required
Prerequisites: User-level access on the target system · Ability to execute arbitrary code
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 83 stars
by zcgonvh · local
https://github.com/zcgonvh/MS16-032

This repository contains a functional exploit for CVE-2016-0099 (MS16-032), which leverages a leaked thread handle to achieve local privilege escalation (LPE) on Windows systems. The exploit uses NtImpersonateThread to impersonate a SYSTEM thread and execute commands with elevated privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (pre-patch for MS16-032)
No auth needed
Prerequisites: Windows system vulnerable to MS16-032 · Compilation on x64 platform
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC NORMAL
by James Forshaw, b33f · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms16_032_secondary_logon_handle_privesc.rb

This Metasploit module exploits CVE-2016-0099, a privilege escalation vulnerability in Windows Secondary Logon Service due to improper handle sanitization. It leverages PowerShell to execute a payload and elevate privileges on vulnerable systems.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows 7-10, Windows Server 2008-2012 (32/64-bit)
Auth required
Prerequisites: Powershell 2.0 or later · System with two or more CPU cores · Local access to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
patchapalooza WRITEUP
by Ascotbe · local
https://github.com/Ascotbe/Kernelhub

This repository is a documentation hub for various Windows kernel exploits, including CVE-2003-0352, CVE-2006-3439, CVE-2008-1084, and others. It contains README files with technical details and a Python script for generating documentation, but no functional exploit code for CVE-2016-0099.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Windows Kernel (various versions)
No auth needed
Prerequisites: access to vulnerable Windows system
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (8)

Core 8
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40107/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39719/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39809/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/84034
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1035210
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-032
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39574/

Scores

CVSS v3 7.8
EPSS 0.9044
EPSS Percentile 99.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-03
VulnCheck KEV 2018-06-01
InTheWild.io 2022-03-03
ENISA EUVD EUVD-2016-0137
Ransomware Use Confirmed
CWE
CWE-120
Status published
Products (9)
microsoft/windows_10_1507
microsoft/windows_10_1511
microsoft/windows_7
microsoft/windows_8.1
microsoft/windows_server_2008
microsoft/windows_server_2008 r2
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
microsoft/windows_vista
Published Mar 09, 2016
KEV Added Mar 03, 2022
Tracked Since Feb 18, 2026