CVE-2016-7224

MEDIUM

Windows VHD Driver - Unauthenticated Privilege Escalation via File Access

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-7224. PoCs published by Google Security Research.

AI-analyzed exploit summary The provided C# code demonstrates an elevation of privilege (EoP) vulnerability in the Windows VHDMP driver (CVE-2016-7224) by cloning physical disks without proper access checks. It leverages the `CreateVirtualDisk` API to bypass DACL restrictions, allowing a non-admin user to clone and read sensitive data from physical drives.

Description

Virtual Hard Disk Driver in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 does not properly restrict access to files, which allows local users to gain privileges via a crafted application, aka "VHD Driver Elevation of Privilege Vulnerability."

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · localwindows

https://www.exploit-db.com/exploits/40765

View Code ZIP pw:eip

The provided C# code demonstrates an elevation of privilege (EoP) vulnerability in the Windows VHDMP driver (CVE-2016-7224) by cloning physical disks without proper access checks. It leverages the `CreateVirtualDisk` API to bypass DACL restrictions, allowing a non-admin user to clone and read sensitive data from physical drives.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 10 (10586)

No auth needed

Prerequisites: Access to a Windows 10 system with VHDMP driver · Sufficient disk space for cloning

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1003 - OS Credential Dumping

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1037248

Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-138

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/94017

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/40765/

Scores

CVSS v3 6.1

EPSS 0.0411

EPSS Percentile 89.4%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Details

CWE

CWE-284

Status published

Products (8)

microsoft/windows_10

microsoft/windows_10 1511

microsoft/windows_10 1607

microsoft/windows_8.1

microsoft/windows_rt_8.1

microsoft/windows_server_2012

microsoft/windows_server_2012 r2

microsoft/windows_server_2016

Published Nov 10, 2016

Tracked Since Feb 18, 2026