CVE-2023-35863

MEDIUM

MADEFORNET HTTP Debugger <= 9.12 - Race Condition via Unprivileged Driver Handle Acquisition

Title source: llm

Description

In MADEFORNET HTTP Debugger through 9.12, the Windows service does not set the seclevel registry key before launching the driver. Thus, it is possible for an unprivileged application to obtain a handle to the NetFilterSDK wrapper before the service obtains exclusive access.

References (3)

Core 3

Core References

Exploit, Technical Description, Third Party Advisory

https://ctrl-c.club/~blue/nfsdk.html

Product

https://www.madefornet.com/products.html

Broken Link

https://www.michaelrowley.dev/research/posts/nfsdk/nfsdk.html

Scores

CVSS v3 5.3

EPSS 0.0025

EPSS Percentile 15.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-362

Status published

Products (1)

madefornet/http_debugger < 9.12

Published Jul 05, 2023

Tracked Since Feb 18, 2026