CVE-2017-11830

MEDIUM

Windows - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-11830. PoCs published by Google Security Research.

AI-analyzed exploit summary This is a detailed technical analysis of CVE-2017-11830, a TOCTOU (Time-of-Check Time-of-Use) vulnerability in Windows Code Integrity (CI) that allows bypassing Device Guard policies by exploiting a race condition in the caching of file signing levels. The writeup includes root cause analysis, exploitation steps, and a conceptual PoC description.

Description

Device Guard in Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016, and Windows Server, version 1709 allows an attacker to make an unsigned file appear to be signed, due to a security feature bypass, aka "Device Guard Security Feature Bypass Vulnerability".

Exploits (1)

exploitdb WRITEUP VERIFIED

by Google Security Research · textlocalwindows

https://www.exploit-db.com/exploits/43162

View Code ZIP pw:eip

This is a detailed technical analysis of CVE-2017-11830, a TOCTOU (Time-of-Check Time-of-Use) vulnerability in Windows Code Integrity (CI) that allows bypassing Device Guard policies by exploiting a race condition in the caching of file signing levels. The writeup includes root cause analysis, exploitation steps, and a conceptual PoC description.

Classification

Writeup 100%

Attack Type

Other

Complexity

Complex

Reliability

Racy

Target: Windows 10 (10586/14393/10S)

No auth needed

Prerequisites: Executable code running on the target system · Ability to write files to an NTFS drive with USN Change Journal enabled

MITRE ATT&CK

T1553.005 - Mark-of-the-Web Bypass

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Technical Description, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/43162/

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1039790

Patch, Vendor Advisory x_refsource_confirm

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11830

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/101714

Scores

CVSS v3 5.3

EPSS 0.0257

EPSS Percentile 83.1%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-367

Status published

Products (8)

microsoft/windows_10

microsoft/windows_10 1511

microsoft/windows_10 1607

microsoft/windows_10 1703

microsoft/windows_10 1709

microsoft/windows_server 1709

microsoft/windows_server_2016

Microsoft Corporation/Device Guard Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016, and Windows Server, version 1709.

Published Nov 15, 2017

Tracked Since Feb 18, 2026