CVE-2018-8120

HIGH KEV RANSOMWARE

Windows SetImeInfoEx Win32k NULL Pointer Dereference

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2018-8120 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 15, 2022, with confirmed use in ransomware campaigns. EIP tracks 18 public exploits from researchers including Metasploit, rip1s, alpha1ab, including a Metasploit module exploits/windows/local/ms18_8120_win32k_privesc.

AI-analyzed exploit summary This Metasploit module exploits CVE-2018-8120, a Win32k NULL pointer dereference vulnerability in Windows 7 and Server 2008 R2, allowing local privilege escalation to kernel mode. It includes architecture-specific payloads and handles both x86 and x64 targets.

Description

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2. This CVE ID is unique from CVE-2018-8124, CVE-2018-8164, CVE-2018-8166.

Exploits (18)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/45653

This Metasploit module exploits CVE-2018-8120, a Win32k NULL pointer dereference vulnerability in Windows 7 and Server 2008 R2, allowing local privilege escalation to kernel mode. It includes architecture-specific payloads and handles both x86 and x64 targets.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows 7, Windows Server 2008 R2
Auth required
Prerequisites: Local access to the target system · Meterpreter session
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 500 stars
by rip1s · local
https://github.com/rip1s/CVE-2018-8120

This is a working proof-of-concept exploit for CVE-2018-8120, a Windows kernel vulnerability in win32k.sys. The exploit leverages a race condition to achieve local privilege escalation (LPE) by manipulating kernel objects and token structures.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows (win32k.sys)
Auth required
Prerequisites: Local access to a vulnerable Windows system · Administrative or SYSTEM privileges to load kernel drivers
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 297 stars
by alpha1ab · local
https://github.com/alpha1ab/CVE-2018-8120

This is a working proof-of-concept exploit for CVE-2018-8120, a Windows kernel vulnerability. The code demonstrates a local privilege escalation (LPE) by manipulating kernel structures to elevate privileges to SYSTEM.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows (affects multiple versions, including Windows 7 and Windows 10)
Auth required
Prerequisites: Local access to the target system · Ability to execute arbitrary code on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 164 stars
by bigric3 · local
https://github.com/bigric3/cve-2018-8120

This is a working exploit PoC for CVE-2018-8120, a Windows kernel privilege escalation vulnerability. The code leverages a double-free bug to escalate privileges to SYSTEM by manipulating kernel structures and token references.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows 7 SP1 x86
No auth needed
Prerequisites: Windows 7 SP1 x86 system · Local access to the target machine
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by ne1llee · poc
https://github.com/ne1llee/cve-2018-8120

This PowerShell script exploits CVE-2018-8120, a Windows kernel vulnerability, by manipulating GDI objects to achieve local privilege escalation (LPE). It leverages bitmap handling and memory corruption to escalate privileges from a low-integrity process.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows (kernel)
No auth needed
Prerequisites: Local access to a vulnerable Windows system · Execution policy allowing PowerShell scripts
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by EVOL4 · poc
https://github.com/EVOL4/CVE-2018-8120

This is a working exploit for CVE-2018-8120, a Windows kernel vulnerability that allows local privilege escalation by manipulating the GDT (Global Descriptor Table) via a call gate. The exploit uses NtUserSetImeInfoEx to trigger the vulnerability and escalate privileges to SYSTEM.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows (versions 3-6, including Windows 7 and Windows Server 2008)
No auth needed
Prerequisites: Local access to the target system · Administrative privileges not required
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by ozkanbilge · local
https://github.com/ozkanbilge/CVE-2018-8120

This is a working exploit for CVE-2018-8120, a Windows kernel vulnerability in win32k.sys. The exploit leverages a race condition to achieve local privilege escalation (LPE) by overwriting kernel memory to escalate privileges to SYSTEM.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows (win32k.sys), versions including Windows 7 and Windows Server 2008
Auth required
Prerequisites: Local access to the target system · Administrative or user-level access to execute the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →
gitlab WORKING POC
by cy.py3.io · poc
https://gitlab.com/cy.py3.io/cve-2018-8120

This repository contains a functional exploit for CVE-2018-8120, a Windows kernel vulnerability. The exploit leverages a double-free condition to achieve local privilege escalation (LPE) by manipulating kernel structures and token stealing.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows 7 SP1 x86
No auth needed
Prerequisites: Windows 7 SP1 x86 system · Local access to the target machine
devstral-2 · analyzed Feb 23, 2026 Full analysis →
github WORKING POC
by AmazingOut · cpoc
https://github.com/AmazingOut/CVE_POC/tree/main/CVE-2018-8120

This repository contains a functional exploit for CVE-2018-8120, a Windows kernel vulnerability in win32k.sys. The exploit leverages bitmap object manipulation to achieve arbitrary read/write in kernel memory, ultimately escalating privileges by overwriting the HalDispatchTable to execute shellcode.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows 7 (x64 and x86)
No auth needed
Prerequisites: Windows 7 environment · ability to execute arbitrary code at user level
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec STUB
by StartZYP · poc
https://github.com/StartZYP/CVE-2018-8120

The repository contains only minimal placeholder code with no functional exploit implementation. The files include empty or near-empty C++ files referencing a non-existent 'test.h' header.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Unknown (CVE-2018-8120 is a Win32k privilege escalation vulnerability)
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Y0n0Y · poc
https://github.com/Y0n0Y/cve-2018-8120-exp

This repository contains a functional exploit for CVE-2018-8120, a Windows kernel vulnerability in win32k.sys. The exploit leverages bitmap manipulation and arbitrary read/write primitives to achieve local privilege escalation (LPE) on Windows 7 SP1 systems.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows 7 SP1 (x86 and x64)
No auth needed
Prerequisites: Windows 7 SP1 system · Local access to the target machine
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by qiantu88 · poc
https://github.com/qiantu88/CVE-2018-8120

This is a working exploit PoC for CVE-2018-8120, a Windows kernel vulnerability in win32k.sys. The exploit leverages a race condition to achieve local privilege escalation (LPE) by manipulating GDI objects and token stealing.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Microsoft Windows (win32k.sys)
Auth required
Prerequisites: Local access to a vulnerable Windows system · Administrative or SYSTEM privileges to load kernel modules
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by unamer, bigric3, Anton Cherepanov, Dhiraj Mishra <[email protected]> · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb

This Metasploit module exploits CVE-2018-8120, a Win32k NULL pointer dereference vulnerability in Windows 7 and Server 2008 R2, to achieve local privilege escalation. It leverages precompiled exploit binaries to execute arbitrary code in kernel mode.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows 7, Windows Server 2008 R2
Auth required
Prerequisites: Local access to the target system · Meterpreter session
devstral-2 · analyzed Feb 16, 2026 Full analysis →
patchapalooza WORKING POC
by mirrors_unamer · poc
https://gitee.com/mirrors_unamer/CVE-2018-8120

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2018-8120, targeting Windows systems via a vulnerability in the win32k.sys driver. The exploit includes shellcode for token stealing and is tested on multiple Windows 7 and Windows Server 2008 variants.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (win32k.sys)
No auth needed
Prerequisites: Windows 7 or Windows Server 2008 (x32/x64)
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by mirrors_alpha1ab · poc
https://gitee.com/mirrors_alpha1ab/CVE-2018-8120

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2018-8120, targeting Windows systems (Win7, Win2008, WinXP, Win2003). The exploit leverages a vulnerability in the Windows kernel to escalate privileges by manipulating the token of the SYSTEM process.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (multiple versions)
No auth needed
Prerequisites: Local access to a vulnerable Windows system
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WRITEUP
by Ascotbe · local
https://github.com/Ascotbe/Kernelhub

This repository contains documentation and configuration scripts for a collection of Windows kernel exploits, including CVE-2008-1084. It includes README files with technical details and a Python script for generating documentation, but no functional exploit code for CVE-2018-8120.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Windows Kernel
No auth needed
Prerequisites: access to the repository · Python environment for documentation generation
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by yjhcf · poc
https://gitee.com/yjhcf/CVE-2018-8120

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2018-8120, targeting Windows systems (Win7, Win2008, WinXP, Win2003). The exploit leverages a vulnerability in the Windows kernel to escalate privileges by manipulating the EPROCESS token structure.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (various versions)
No auth needed
Prerequisites: Local access to a vulnerable Windows system
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45653/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040849
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/104034

Scores

CVSS v3 7.0
EPSS 0.9415
EPSS Percentile 99.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-15
VulnCheck KEV 2018-05-08
InTheWild.io 2018-05-08
ENISA EUVD EUVD-2018-19796
Ransomware Use Confirmed
CWE
CWE-404
Status published
Products (3)
microsoft/windows_7
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1 (2 CPE variants)
Published May 09, 2018
KEV Added Mar 15, 2022
Tracked Since Feb 18, 2026