CVE-2018-8639

HIGH KEV RANSOMWARE

Windows - Elevation of Privilege via Win32k Memory Handling

Title source: llm

Exploitation Summary

CVE-2018-8639 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2025, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including ze0r, timwhitez, Ascotbe.

AI-analyzed exploit summary This is a working exploit for CVE-2018-8639, a Windows privilege escalation vulnerability. It leverages memory corruption in the win32k.sys driver to achieve arbitrary read/write in kernel memory, ultimately swapping the current process token with the SYSTEM token.

Description

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8641.

Exploits (4)

nomisec WORKING POC 127 stars

by ze0r · local

https://github.com/ze0r/CVE-2018-8639-exp

View Code ZIP pw:eip

This is a working exploit for CVE-2018-8639, a Windows privilege escalation vulnerability. It leverages memory corruption in the win32k.sys driver to achieve arbitrary read/write in kernel memory, ultimately swapping the current process token with the SYSTEM token.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows Server 2008 and Windows Server 2008 R2

Auth required

Prerequisites: Local access to the target system · Ability to execute code on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 6 stars

by timwhitez · poc

https://github.com/timwhitez/CVE-2018-8639-EXP

View Code ZIP pw:eip

This repository contains an executable exploit for CVE-2018-8639, a Windows privilege escalation vulnerability. The README provides usage instructions and disclaimers about the potential misuse of the exploit.

Classification

Working Poc 80%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows 10 and Windows Server 2016

Auth required

Prerequisites: Local access to the target system · Valid user credentials

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

patchapalooza WRITEUP

by Ascotbe · local

https://github.com/Ascotbe/Kernelhub

View Code ZIP pw:eip

This repository contains documentation and configuration scripts for a collection of Windows kernel exploits, including CVE-2003-0352, CVE-2006-3439, CVE-2008-1084, and others. It includes README files in both Chinese and English, as well as a Python script for generating documentation.

Classification

Writeup 90%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: Windows Kernel

No auth needed

Prerequisites: access to the target system · specific Windows versions affected by the listed CVEs

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 23, 2026 Full analysis →

patchapalooza WORKING POC

by cbwang505 · poc

https://gitee.com/cbwang505/CVE-2018-8639-EXP

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2018-8639, a local privilege escalation vulnerability in Windows 7 SP1 64-bit due to a double-free in the window class handling mechanism. The exploit leverages the ReferenceClass function's improper handling of the lpszMenuName field during tagCLS structure cloning.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Windows 7 SP1 64-bit

Auth required

Prerequisites: Windows 7 SP1 64-bit system · Visual Studio 2013 for compilation

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-8639

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/106093

Patch, Vendor Advisory x_refsource_confirm

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8639

Scores

CVSS v3 7.8

EPSS 0.3319

EPSS Percentile 97.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2025-03-03

VulnCheck KEV 2022-01-26

ENISA EUVD EUVD-2018-20250

Ransomware Use Confirmed

CWE

CWE-404

Status published

Products (15)

microsoft/windows_10_1507

microsoft/windows_10_1607

microsoft/windows_10_1703

microsoft/windows_10_1709

microsoft/windows_10_1803

microsoft/windows_10_1809

microsoft/windows_7

microsoft/windows_8.1

microsoft/windows_rt_8.1

microsoft/windows_server_2008

... and 5 more

Published Dec 12, 2018

KEV Added Mar 03, 2025

Tracked Since Feb 18, 2026