CVE-2023-28252

HIGH KEV RANSOMWARE

Windows Common Log File System Driver - Heap-based Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-28252 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 11, 2023, with confirmed use in ransomware campaigns. EIP tracks 8 public exploits from researchers including fortra, duck-sec, byt3n33dl3, including a Metasploit module exploits/windows/local/cve_2023_28252_clfs_driver.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2023-28252, a privilege escalation vulnerability in the Windows Common Log File System (CLFS) driver. It includes a step-by-step breakdown of the exploitation process, patch analysis, and references to related research, but does not contain functional exploit code.

Description

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Exploits (8)

nomisec WRITEUP 180 stars
by fortra · local
https://github.com/fortra/CVE-2023-28252

This repository provides a detailed technical analysis of CVE-2023-28252, a privilege escalation vulnerability in the Windows Common Log File System (CLFS) driver. It includes a step-by-step breakdown of the exploitation process, patch analysis, and references to related research, but does not contain functional exploit code.

Classification
Writeup 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Theoretical
Target: Windows CLFS.sys (versions 10.0.22000.1574 and others)
No auth needed
Prerequisites: Access to a vulnerable Windows system · Ability to create and manipulate .blf files
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 54 stars
by duck-sec · local
https://github.com/duck-sec/CVE-2023-28252-Compiled-exe

This repository contains a functional exploit for CVE-2023-28252, a privilege escalation vulnerability in the Windows CLFS (Common Log File System) driver. The exploit leverages memory corruption to escalate privileges and execute arbitrary code, with modifications to support additional Windows versions and direct binary execution.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Windows 10/11 (21H2, 22H2), Windows Server 2022 (CLFS.SYS version 10.0.22000.1574)
Auth required
Prerequisites: Local access to the target system · Ability to execute arbitrary code on the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 6 stars
by byt3n33dl3 · local
https://github.com/byt3n33dl3/CLFS

This repository contains a functional exploit PoC for CVE-2023-28252, targeting the Common Log File System (CLFS) driver in Windows. The exploit leverages memory corruption to achieve local privilege escalation (LPE) by manipulating CLFS structures and abusing kernel addresses.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows CLFS driver
No auth needed
Prerequisites: Access to a vulnerable Windows system · Ability to execute arbitrary code on the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 4 stars
by bkstephen · poc
https://github.com/bkstephen/Compiled-PoC-Binary-For-CVE-2023-28252

This repository contains a precompiled binary for CVE-2023-28252, a local privilege escalation (LPE) vulnerability in Windows Common Log File System (CLFS). The binary is a modified version of Fortra's PoC, allowing arbitrary payload execution as NT AUTHORITY\SYSTEM.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows Common Log File System (CLFS) Driver
Auth required
Prerequisites: Local access to a vulnerable Windows system · Correct offset and flag values for the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by Vulmatch · local
https://github.com/Vulmatch/CVE-2023-28252

This repository provides a technical analysis and visualization of the CVE-2023-28252 vulnerability, a Windows privilege escalation flaw in the Common Log File System (CLFS). It references external articles and includes diagrams to explain the exploit workflow but does not contain functional exploit code.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Windows 11 (CLFS)
Auth required
Prerequisites: Local access to a vulnerable Windows system · Low-privileged user account
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS
by Danasuley · poc
https://github.com/Danasuley/CVE-2023-28252-

The repository contains a vague README in Russian describing file creation detection for CVE-2023-28252 without providing actual exploit code or technical details. It lacks depth and appears to be a placeholder or lure.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by 726232111 · poc
https://github.com/726232111/CVE-2023-28252

The repository contains a functional exploit for CVE-2023-28252, a Windows local privilege escalation vulnerability. The code includes token manipulation and CRC32 computation, targeting the CLFS (Common Log File System) driver to escalate privileges to SYSTEM.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (CLFS driver)
Auth required
Prerequisites: Local access to a vulnerable Windows system · User-level authentication
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC GOOD
by Ricardo Narvaja, Esteban.kazimirow, jheysel-r7 · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/cve_2023_28252_clfs_driver.rb

This Metasploit module exploits a privilege escalation vulnerability in the Windows Common Log File System (clfs.sys) driver by manipulating .blf files to trigger an out-of-bounds read and overwrite a process token with a SYSTEM token. It uses a controlled memory space created via pipe allocation and deallocation to achieve local privilege escalation.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Windows 10 21H2, Windows 11 21H2, Windows Server 2022 (clfs.sys driver)
No auth needed
Prerequisites: Local access to a vulnerable Windows system · Meterpreter session
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.8
EPSS 0.4897
EPSS Percentile 98.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2023-04-11
VulnCheck KEV 2023-04-11
InTheWild.io 2023-04-11
ENISA EUVD EUVD-2023-31960
Ransomware Use Confirmed
CWE
CWE-122 CWE-787
Status published
Products (15)
microsoft/windows_10_1507 < 10.0.10240.19869
microsoft/windows_10_1607 < 10.0.14393.5850
microsoft/windows_10_1809 < 10.0.17763.4252
microsoft/windows_10_20h2 < 10.0.19042.2846
microsoft/windows_10_21h2 < 10.0.19044.2846
microsoft/windows_10_22h2 < 10.0.19045.2846
microsoft/windows_11_21h2 < 10.0.22000.1817
microsoft/windows_11_22h2 < 10.0.22621.1555
microsoft/windows_server_2008
microsoft/windows_server_2008 r2 sp1
... and 5 more
Published Apr 11, 2023
KEV Added Apr 11, 2023
Tracked Since Feb 18, 2026