cbcvebase.
CVE-2002-0367
published 2002-06-25

CVE-2002-0367: smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to…

PriorityP276high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
5.19%
91.4th percentile
smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

processsmss.exe
filenameDebPloit
  • Monitor for unprivileged processes duplicating handles to privileged/SYSTEM processes via the Windows debugging subsystem (smss.exe). This is the core exploitation primitive for CVE-2002-0367.
  • Alert on mass-mailing worm activity on affected Windows NT 4.0/2000 hosts, as a worm was reported exploiting this vulnerability using the DebPloit proof-of-concept.
  • Detect local privilege escalation attempts where a low-privileged process gains SYSTEM-level privileges on Windows NT 4.0 or Windows 2000 hosts, consistent with handle duplication abuse.
  • ·The vulnerability is specific to Windows NT 4.0 and Windows 2000; the debugging subsystem is available to all local users on these platforms, making any local user a potential threat actor.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.