cbcvebase.
CVE-2007-5633
published 2007-10-23

CVE-2007-5633: Speedfan.sys in Alfredo Milani Comparetti SpeedFan 4.33, when used on Microsoft Windows Vista x64, allows local users to read or write arbitrary MSRs, and gain…

PriorityP274high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.94%
56.3th percentile
Speedfan.sys in Alfredo Milani Comparetti SpeedFan 4.33, when used on Microsoft Windows Vista x64, allows local users to read or write arbitrary MSRs, and gain privileges and load unsigned drivers, via the (1) IOCTL_RDMSR 0x9C402438 and (2) IOCTL_WRMSR 0x9C40243C IOCTLs to \Device\speedfan, as demonstrated by an IOCTL_WRMSR action on MSR_LSTAR.

Affected

1 ranges
VendorProductVersion rangeFixed in
almicospeedfan

Detection & IOCsextracted from sources · hover to see the quote

hash5F9785E7535F8F602CB294A54962C9E7
filenameSpeedfan.sys
path\Device\speedfan
commandIOCTL_RDMSR 0x9C402438
commandIOCTL_WRMSR 0x9C40243C
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/30681.zip
  • Detect IOCTL calls to \Device\speedfan with control codes 0x9C402438 (IOCTL_RDMSR) or 0x9C40243C (IOCTL_WRMSR), which indicate MSR read/write abuse via the vulnerable SpeedFan driver for privilege escalation.
  • Flag presence of SpeedFan.sys with MD5 hash 5F9785E7535F8F602CB294A54962C9E7, as this specific version was used by the Slingshot APT rootkit to bypass x64 Driver Signing Protection.
  • Detect the malicious ipv4.dll dropped on MikroTik routers and subsequently downloaded by Winbox clients as the initial infection vector leading to CVE-2007-5633 exploitation.
  • ·The vulnerability is specific to Microsoft Windows Vista x64; exploitation via the IOCTL_WRMSR code targets MSR_LSTAR to load unsigned drivers, so detection should be scoped to x64 Vista environments running SpeedFan 4.33.

CVSS provenance

nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.