CVE-2002-0367
published 2002-06-25CVE-2002-0367: smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to…
PriorityP276high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
5.19%
91.4th percentile
smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unprivileged processes duplicating handles to privileged/SYSTEM processes via the Windows debugging subsystem (smss.exe). This is the core exploitation primitive for CVE-2002-0367. ↗
- →Alert on mass-mailing worm activity on affected Windows NT 4.0/2000 hosts, as a worm was reported exploiting this vulnerability using the DebPloit proof-of-concept. ↗
- →Detect local privilege escalation attempts where a low-privileged process gains SYSTEM-level privileges on Windows NT 4.0 or Windows 2000 hosts, consistent with handle duplication abuse. ↗
- ·The vulnerability is specific to Windows NT 4.0 and Windows 2000; the debugging subsystem is available to all local users on these platforms, making any local user a potential threat actor. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Microsoft Windows NT 4.0/2000 Debugging Subsystem smss.exe privileges management (EUVD-2002-0364 / EDB-21344)
vuldb·2026-04-22·CVSS 7.8
CVE-2002-0367 [HIGH] Microsoft Windows NT 4.0/2000 Debugging Subsystem smss.exe privileges management (EUVD-2002-0364 / EDB-21344)
A vulnerability classified as problematic was found in Microsoft Windows NT 4.0/2000. This vulnerability affects unknown code of the file smss.exe of the component Debugging Subsystem. Executing a manipulation can lead to improper privilege management.
This vulnerability is registered as CVE-2002-0367. The attack needs to be launched locally. Furthermore, an exploit is available.
Upgrading the affected component is advised.
GHSA
GHSA-53gp-9cgv-fj68: smss
ghsa_unreviewed·2022-04-30
CVE-2002-0367 [HIGH] CWE-269 GHSA-53gp-9cgv-fj68: smss
smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit.
VulnCheck
Microsoft Windows Privilege Escalation Vulnerability
vulncheck·2002·CVSS 7.8
CVE-2002-0367 [HIGH] Microsoft Windows Privilege Escalation Vulnerability
Microsoft Windows Privilege Escalation Vulnerability
smss.exe debugging subsystem in Microsoft Windows does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.exploit-db.com/exploits/21344; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-03-24
CISA
Microsoft Windows Privilege Escalation Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2002-0367 [HIGH] Microsoft Windows Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows Privilege Escalation Vulnerability
Affected: Microsoft Windows
smss.exe debugging subsystem in Microsoft Windows does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2002-0367
Remediation Due Date: 2022-03-24
No detection rules found.
No writeups or analysis indexed.
http://marc.info/?l=ntbugtraq&m=101614320402695&w=2http://www.iss.net/security_center/static/8462.phphttp://www.securityfocus.com/archive/1/262074http://www.securityfocus.com/archive/1/264441http://www.securityfocus.com/archive/1/264927http://www.securityfocus.com/bid/4287https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-024https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A158https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A76http://marc.info/?l=ntbugtraq&m=101614320402695&w=2http://www.iss.net/security_center/static/8462.phphttp://www.securityfocus.com/archive/1/262074http://www.securityfocus.com/archive/1/264441http://www.securityfocus.com/archive/1/264927http://www.securityfocus.com/bid/4287https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-024https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A158https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A76https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2002-0367
2002-06-25
Published
2022-03-03
Added to CISA KEV
Exploited in the wild