CVE-2016-0151

HIGH KEV RANSOMWARE

Windows 8.1, 10, RT 8.1, Server 2012 - Privilege Escalation via CSRSS Token Mismanagement

Title source: llm

Exploitation Summary

CVE-2016-0151 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 28, 2022, with confirmed use in ransomware campaigns. EIP tracks 1 public exploit from researchers including Google Security Research.

AI-analyzed exploit summary This exploit leverages CVE-2016-0151 to elevate privileges by abusing the CSRSS BaseSrvCheckVDM RPC call to create a process in session 0 with the anonymous token, then using CreateProcessWithLogonW to spawn a process as the current user in session 0. It requires a multi-processor system and Windows 8.1.

Description

The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mismanages process tokens, which allows local users to gain privileges via a crafted application, aka "Windows CSRSS Security Feature Bypass Vulnerability."

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · c++doswindows

https://www.exploit-db.com/exploits/39740

View Code ZIP pw:eip

This exploit leverages CVE-2016-0151 to elevate privileges by abusing the CSRSS BaseSrvCheckVDM RPC call to create a process in session 0 with the anonymous token, then using CreateProcessWithLogonW to spawn a process as the current user in session 0. It requires a multi-processor system and Windows 8.1.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Windows 8.1 (32-bit)

Auth required

Prerequisites: Multi-processor system · Windows 8.1 (32-bit) · Normal user privileges (not low IL)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1134 - Access Token Manipulation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1035544

Patch, Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-048

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/39740/

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0151

Scores

CVSS v3 7.8

EPSS 0.3241

EPSS Percentile 97.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-03-28

VulnCheck KEV 2022-03-28

InTheWild.io 2022-03-28

ENISA EUVD EUVD-2016-0189

Ransomware Use Confirmed

CWE

CWE-269

Status published

Products (6)

microsoft/windows_10_1507

microsoft/windows_10_1511

microsoft/windows_8.1

microsoft/windows_rt_8.1

microsoft/windows_server_2012

microsoft/windows_server_2012 r2

Published Apr 12, 2016

KEV Added Mar 28, 2022

Tracked Since Feb 18, 2026