cbcvebase.
CVE-2009-0078
published 2009-04-15

CVE-2009-0078: The Windows Management Instrumentation (WMI) provider in Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 does…

PriorityP275high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.74%
84.3th percentile
The Windows Management Instrumentation (WMI) provider in Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 does not properly implement isolation among a set of distinct processes that (1) all run under the NetworkService account or (2) all run under the LocalService account, which allows local users to gain privileges by accessing the resources of one of the processes, aka "Windows WMI Service Isolation Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_vista

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/6705.zip
  • Monitor for local privilege escalation attempts targeting the WMI service (winmgmt) where a process running under NetworkService or LocalService account attempts to access resources belonging to another process sharing the same service account, potentially escalating to LocalSystem.
  • Alert on processes running under NetworkService or LocalService accounts that unexpectedly access handles, tokens, or memory of sibling processes sharing the same account — a key indicator of WMI service isolation abuse.
  • Successful exploitation results in LocalSystem-level privileges; monitor for unexpected privilege elevation of processes originally running as NetworkService or LocalService to SYSTEM.
  • ·Vulnerability is local-only; exploitation requires an attacker to already have local code execution on the target system under a low-privileged account.
  • ·Affected platforms are Windows XP SP2/SP3, Server 2003 SP1/SP2, Vista Gold/SP1, and Server 2008 — detection and patching priority should focus on these legacy OS versions.

CVSS provenance

nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.