CVE-2018-0822

HIGH

Windows 10 and Windows Server 2016 - Elevation of Privilege via NTFS Reparse Point Handling

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-0822. PoCs published by Google Security Research.

AI-analyzed exploit summary The exploit leverages the Global Reparse Point feature in Windows 10 1709 to bypass sandbox restrictions and create arbitrary symbolic links without requiring SeCreateSymbolicLinkPrivilege. This allows for privilege escalation by redirecting file access to restricted locations.

Description

NTFS in Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an elevation of privilege vulnerability due to the way NTFS handles objects, aka "Windows NTFS Global Reparse Point Elevation of Privilege Vulnerability".

Exploits (1)

exploitdb WORKING POC VERIFIED
by Google Security Research · textlocalwindows
https://www.exploit-db.com/exploits/44147

The exploit leverages the Global Reparse Point feature in Windows 10 1709 to bypass sandbox restrictions and create arbitrary symbolic links without requiring SeCreateSymbolicLinkPrivilege. This allows for privilege escalation by redirecting file access to restricted locations.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows 10 1709
Auth required
Prerequisites: Low Integrity Level or AppContainer sandbox · Write access to the destination path
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/102942
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44147/
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040378

Scores

CVSS v3 7.0
EPSS 0.0268
EPSS Percentile 84.0%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (7)
microsoft/windows_10
microsoft/windows_10 1511
microsoft/windows_10 1607
microsoft/windows_10 1703
microsoft/windows_10 1709
microsoft/windows_server_2016
microsoft/windows_server_2016 1709
Published Feb 15, 2018
Tracked Since Feb 18, 2026