CVE-2009-0078
published 2009-04-15CVE-2009-0078: The Windows Management Instrumentation (WMI) provider in Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 does…
PriorityP275high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.74%
84.3th percentile
The Windows Management Instrumentation (WMI) provider in Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 does not properly implement isolation among a set of distinct processes that (1) all run under the NetworkService account or (2) all run under the LocalService account, which allows local users to gain privileges by accessing the resources of one of the processes, aka "Windows WMI Service Isolation Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_vista | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for local privilege escalation attempts targeting the WMI service (winmgmt) where a process running under NetworkService or LocalService account attempts to access resources belonging to another process sharing the same service account, potentially escalating to LocalSystem. ↗
- →Alert on processes running under NetworkService or LocalService accounts that unexpectedly access handles, tokens, or memory of sibling processes sharing the same account — a key indicator of WMI service isolation abuse. ↗
- →Successful exploitation results in LocalSystem-level privileges; monitor for unexpected privilege elevation of processes originally running as NetworkService or LocalService to SYSTEM. ↗
- ·Vulnerability is local-only; exploitation requires an attacker to already have local code execution on the target system under a low-privileged account. ↗
- ·Affected platforms are Windows XP SP2/SP3, Server 2003 SP1/SP2, Vista Gold/SP1, and Server 2008 — detection and patching priority should focus on these legacy OS versions. ↗
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-66w8-976g-q7m9: The Windows Management Instrumentation (WMI) provider in Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 200
ghsa_unreviewed·2022-05-02
CVE-2009-0078 [HIGH] GHSA-66w8-976g-q7m9: The Windows Management Instrumentation (WMI) provider in Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 200
The Windows Management Instrumentation (WMI) provider in Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 does not properly implement isolation among a set of distinct processes that (1) all run under the NetworkService account or (2) all run under the LocalService account, which allows local users to gain privileges by accessing the resources of one of the processes, aka "Windows WMI Service Isolation Vulnerability."
VulnCheck
Windows WMI Service Isolation Vulnerability
vulncheck·2009·CVSS 7.2
CVE-2009-0078 [HIGH] Windows WMI Service Isolation Vulnerability
Windows WMI Service Isolation Vulnerability
The Windows Management Instrumentation (WMI) provider in Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 does not properly implement isolation among a set of distinct processes that (1) all run under the NetworkService account or (2) all run under the LocalService account, which allows local users to gain privileges by accessing the resources of one of the processes, aka "Windows WMI Service Isolation Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/m
No detection rules found.
No writeups or analysis indexed.
http://osvdb.org/53666http://www.securitytracker.com/id?1022044http://www.us-cert.gov/cas/techalerts/TA09-104A.htmlhttp://www.vupen.com/english/advisories/2009/1026https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-012https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6193http://osvdb.org/53666http://www.securitytracker.com/id?1022044http://www.us-cert.gov/cas/techalerts/TA09-104A.htmlhttp://www.vupen.com/english/advisories/2009/1026https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-012https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6193
2009-04-15
Published
Exploited in the wild