CVE-2018-8453

HIGH KEV RANSOMWARE

Windows - Elevation of Privilege in Win32k Component

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-8453 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 21, 2022, with confirmed use in ransomware campaigns. EIP tracks 6 public exploits from researchers including Metasploit, ze0r, thepwnrip, including a Metasploit module exploits/windows/local/cve_2018_8453_win32k_priv_esc.

AI-analyzed exploit summary This Metasploit module exploits CVE-2018-8453, a Win32k privilege escalation vulnerability in Windows. It uploads and executes a precompiled exploit binary to elevate privileges from a local session.

Description

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/47134

This Metasploit module exploits CVE-2018-8453, a Win32k privilege escalation vulnerability in Windows. It uploads and executes a precompiled exploit binary to elevate privileges from a local session.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows 10 v1703 (Build 15063) x86
Auth required
Prerequisites: Local access to the target system · Meterpreter session
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 122 stars
by ze0r · local
https://github.com/ze0r/cve-2018-8453-exp

This repository contains a working exploit for CVE-2018-8453, a Windows kernel vulnerability that allows local privilege escalation (LPE) via a use-after-free in win32k.sys. The exploit uses palette manipulation and pool feng shui techniques to achieve arbitrary read/write in kernel memory.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows 10 RS2 (15063/16299) and later versions (x86/x64)
Auth required
Prerequisites: Local access to a vulnerable Windows system · Administrative or system-level privileges to execute the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 14 stars
by thepwnrip · poc
https://github.com/thepwnrip/leHACK-Analysis-of-CVE-2018-8453

This repository contains a writeup and presentation materials from leHACK 2019 analyzing CVE-2018-8453, a Use-After-Free (UAF) and double-free vulnerability in the Windows kernel driver win32k.sys. It discusses exploitation techniques, binary diffing, and mitigation bypasses but does not include actual exploit code.

Classification
Writeup 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Theoretical
Target: Microsoft Windows (7, 8.1, 10) win32k.sys
No auth needed
Prerequisites: Access to a vulnerable Windows system · Knowledge of kernel exploitation techniques
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by Mkv4 · local
https://github.com/Mkv4/cve-2018-8453-exp

This repository contains a functional exploit for CVE-2018-8453, a Windows kernel privilege escalation vulnerability affecting Windows 8.1 and later. The exploit leverages a use-after-free in win32k.sys via Palette objects to achieve arbitrary kernel read/write and ultimately elevate privileges to SYSTEM.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows 8.1 and later (x86)
No auth needed
Prerequisites: Windows 8.1 or later (x86) · Local access to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC MANUAL
by ze0r, Kaspersky Lab, Jacob Robles · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/cve_2018_8453_win32k_priv_esc.rb

This Metasploit module exploits CVE-2018-8453, a Win32k privilege escalation vulnerability in Windows. It leverages a memory corruption flaw in the NtUserSetWindowFNID function to escalate privileges from a local user to SYSTEM.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Windows 10 v1703 (Build 15063) x86
Auth required
Prerequisites: Local access to the target system · Meterpreter session
devstral-2 · analyzed Feb 19, 2026 Full analysis →
patchapalooza NO CODE
by Ascotbe · local
https://github.com/Ascotbe/Kernelhub

References (6)

Core 6
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1041828
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://securelist.com/cve-2018-8453-used-in-targeted-attack
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/105467

Scores

CVSS v3 7.8
EPSS 0.8133
EPSS Percentile 99.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-01-21
VulnCheck KEV 2018-08-17
InTheWild.io 2018-08-17
ENISA EUVD EUVD-2018-20088
Ransomware Use Confirmed
Status published
Products (17)
microsoft/windows_10_1507
microsoft/windows_10_1607
microsoft/windows_10_1703
microsoft/windows_10_1709
microsoft/windows_10_1803
microsoft/windows_10_1809
microsoft/windows_7
microsoft/windows_8.1
microsoft/windows_rt_8.1
microsoft/windows_server_1709
... and 7 more
Published Oct 10, 2018
KEV Added Jan 21, 2022
Tracked Since Feb 18, 2026