CVE-2018-8440

HIGH KEV RANSOMWARE

Windows - Elevation of Privilege via ALPC

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-8440 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 28, 2022, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including sourceincite, SandboxEscaper, bwatters-r7, asoto-r7, Jacob Robles, including a Metasploit module exploits/windows/local/alpc_taskscheduler.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2018-8440, a privilege escalation vulnerability in Windows ALPC. The exploit leverages directory object manipulation and symbolic link techniques to achieve local privilege escalation.

Description

An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC), aka "Windows ALPC Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

Exploits (2)

nomisec WORKING POC 80 stars
by sourceincite · local
https://github.com/sourceincite/CVE-2018-8440

This repository contains a proof-of-concept exploit for CVE-2018-8440, a privilege escalation vulnerability in Windows ALPC. The exploit leverages directory object manipulation and symbolic link techniques to achieve local privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows (multiple versions)
Auth required
Prerequisites: Local access to a vulnerable Windows system · Basic user privileges
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by SandboxEscaper, bwatters-r7, asoto-r7, Jacob Robles · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/alpc_taskscheduler.rb

This Metasploit module exploits CVE-2018-8440, a local privilege escalation vulnerability in Windows ALPC Task Scheduler. It abuses the SchRpcSetSecurity method to manipulate DACLs on .job files via hardlinks, allowing arbitrary file writes and privilege escalation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 10 x64 (and other vulnerable versions)
Auth required
Prerequisites: Meterpreter session · Access to create files in C:\Windows\Tasks · 64-bit Windows target
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://blog.0patch.com/2018/08/how-we-micropatched-publicly-dropped.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1041578
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/105153

Scores

CVSS v3 7.8
EPSS 0.1853
EPSS Percentile 96.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-28
VulnCheck KEV 2018-09-05
InTheWild.io 2018-09-11
ENISA EUVD EUVD-2018-20076
Ransomware Use Confirmed
Status published
Products (12)
microsoft/windows_10_1607
microsoft/windows_10_1703
microsoft/windows_10_1709
microsoft/windows_10_1803
microsoft/windows_7
microsoft/windows_8.1
microsoft/windows_rt_8.1
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1
microsoft/windows_server_2012
... and 2 more
Published Sep 13, 2018
KEV Added Mar 28, 2022
Tracked Since Feb 18, 2026