CVE-2017-0101

HIGH KEV RANSOMWARE

Microsoft Windows - Local Privilege Escalation via Transaction Manager Kernel Driver

Title source: llm

Exploitation Summary

CVE-2017-0101 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 15, 2022, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including xiaodaozhi, Ascotbe.

AI-analyzed exploit summary This exploit targets CVE-2017-0101, a Windows kernel vulnerability, by manipulating bitmap and palette objects to achieve arbitrary memory read/write. It demonstrates a local privilege escalation (LPE) by corrupting kernel memory structures.

Description

The kernel-mode drivers in Transaction Manager in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Windows Elevation of Privilege Vulnerability."

Exploits (2)

exploitdb WORKING POC

by xiaodaozhi · c++localwindows_x86

https://www.exploit-db.com/exploits/44479

View Code ZIP pw:eip

This exploit targets CVE-2017-0101, a Windows kernel vulnerability, by manipulating bitmap and palette objects to achieve arbitrary memory read/write. It demonstrates a local privilege escalation (LPE) by corrupting kernel memory structures.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Microsoft Windows (kernel vulnerability)

No auth needed

Prerequisites: Local access to a vulnerable Windows system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

patchapalooza NO CODE

by Ascotbe · local

https://github.com/Ascotbe/Kernelhub

View Code ZIP pw:eip

References (5)

Core 5

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44479/

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/96625

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1038013

Patch, Vendor Advisory x_refsource_confirm

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0101

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0101

Scores

CVSS v3 7.8

EPSS 0.5748

EPSS Percentile 99.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-03-15

VulnCheck KEV 2022-03-15

InTheWild.io 2022-03-09

ENISA EUVD EUVD-2017-0468

Ransomware Use Confirmed

CWE

CWE-119

Status published

Products (4)

microsoft/windows_7

microsoft/windows_server_2008

microsoft/windows_vista

Microsoft Corporation/Windows The kernel-mode drivers in Transaction Manager in Microsoft Windows Vista SP2; Windows Server 2008 S

Published Mar 17, 2017

KEV Added Mar 15, 2022

Tracked Since Feb 18, 2026