CVE-2017-0213

HIGH KEV RANSOMWARE

Microsoft Windows - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2017-0213 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 28, 2022, with confirmed use in ransomware campaigns. EIP tracks 8 public exploits from researchers including Google Security Research, zcgonvh, eonrickity.

AI-analyzed exploit summary This is a detailed technical analysis of CVE-2017-0213, a Windows COM Aggregate Marshaler/IRemUnknown2 type confusion vulnerability leading to Elevation of Privilege (EoP). The writeup explains the root cause, exploitation technique via type library manipulation, and potential attack scenarios, including BITS service abuse.

Description

Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when an attacker runs a specially crafted application, aka "Windows COM Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-0214.

Exploits (8)

exploitdb WRITEUP VERIFIED
by Google Security Research · c++localwindows
https://www.exploit-db.com/exploits/42020

This is a detailed technical analysis of CVE-2017-0213, a Windows COM Aggregate Marshaler/IRemUnknown2 type confusion vulnerability leading to Elevation of Privilege (EoP). The writeup explains the root cause, exploitation technique via type library manipulation, and potential attack scenarios, including BITS service abuse.

Classification
Writeup 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Theoretical
Target: Windows 10 (10586/14393)
No auth needed
Prerequisites: Ability to inject an OBJREF stream into a COM connection · Privileged service or user querying an attacker-controlled COM object
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 58 stars
by zcgonvh · local
https://github.com/zcgonvh/CVE-2017-0213

This repository contains a detailed technical analysis of CVE-2017-0213, a Windows COM Aggregate Marshaler/IRemUnknown2 type confusion vulnerability leading to Elevation of Privilege (EoP). The writeup explains the root cause, exploitation technique via type library manipulation, and potential attack vectors like BITS callback interfaces.

Classification
Writeup 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Theoretical
Target: Windows 10 (10586/14393)
Auth required
Prerequisites: Ability to control a COM object accessible by a higher-privileged process · Impersonation context where C: drive redirection is possible
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS 13 stars
by eonrickity · poc
https://github.com/eonrickity/CVE-2017-0213

The repository provides download links to external executables and ZIP files for CVE-2017-0213 but contains no actual exploit code or technical analysis. It relies on external downloads, which is a common tactic for suspicious repositories.

Classification
Suspicious 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Windows COM (Windows 7, 8.1, 10, Server 2008, 2012, 2016)
No auth needed
Prerequisites: Access to a vulnerable Windows system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 1 stars
by jbooz1 · local
https://github.com/jbooz1/CVE-2017-0213

This repository contains a detailed technical analysis of CVE-2017-0213, a Windows COM Aggregate Marshaler/IRemUnknown2 type confusion vulnerability leading to Elevation of Privilege (EoP). The writeup includes root cause analysis, exploitation techniques, and a discussion of the vulnerability's impact on Windows 10 systems.

Classification
Writeup 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Theoretical
Target: Windows 10 (versions 10586/14393)
No auth needed
Prerequisites: Access to a vulnerable Windows 10 system · Ability to execute arbitrary code in a low-privilege context
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by Anonymous-Family · poc
https://github.com/Anonymous-Family/CVE-2017-0213

This repository provides a detailed description and references for CVE-2017-0213, a Windows COM Elevation of Privilege Vulnerability. It includes affected product versions, references to external resources, and a video demonstration, but lacks actual exploit code or technical analysis.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Windows 10 (1511, 1607, 1703), Windows 7 SP1, and others
No auth needed
Prerequisites: Access to a vulnerable Windows system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by billa3283 · poc
https://github.com/billa3283/CVE-2017-0213

The repository contains only a README.md file with the CVE identifier and no additional technical details or exploit code. It is a placeholder with minimal content.

Classification
Stub 100%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS
by shaheemirza · poc
https://github.com/shaheemirza/CVE-2017-0213-

The repository lacks actual exploit code and instead provides vague instructions with screenshots and a YouTube link, directing users to download external tools like Cmder and Mimikatz. No technical details about the vulnerability or exploit mechanics are provided.

Classification
Suspicious 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Windows 10, Windows 7, Windows Server 2008
Auth required
Prerequisites: Access to a command prompt with limited privileges · External tools (Cmder, Mimikatz)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
patchapalooza WRITEUP
by Ascotbe · local
https://github.com/Ascotbe/Kernelhub

This repository is a documentation hub for various Windows CVEs, including CVE-2017-0213, but does not contain actual exploit code. It includes scripts for generating documentation and README files in multiple languages, categorizing vulnerabilities based on testing status.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Windows (various versions)
No auth needed
Prerequisites: access to the repository · Python environment for documentation generation
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (5)

Core 5
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/98102
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42020/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038457

Scores

CVSS v3 7.3
EPSS 0.9257
EPSS Percentile 99.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-28
VulnCheck KEV 2018-12-21
InTheWild.io 2020-05-27
ENISA EUVD EUVD-2017-0579
Ransomware Use Confirmed
Status published
Products (13)
microsoft/windows_10_1507
microsoft/windows_10_1511
microsoft/windows_10_1607
microsoft/windows_10_1703
microsoft/windows_7
microsoft/windows_8.1
microsoft/windows_rt_8.1
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1
microsoft/windows_server_2012
... and 3 more
Published May 12, 2017
KEV Added Mar 28, 2022
Tracked Since Feb 18, 2026