cbcvebase.
CVE-2010-1592
published 2010-04-28

CVE-2010-1592: sandra.sys 15.18.1.1 and earlier in the Sandra Device Driver in SiSoftware Sandra 16.10.2010.1 and earlier allows local users to gain privileges or cause a…

PriorityP181medium6.9CVSS 2.0
AVLACMAuNCCICAC
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.43%
34.5th percentile
sandra.sys 15.18.1.1 and earlier in the Sandra Device Driver in SiSoftware Sandra 16.10.2010.1 and earlier allows local users to gain privileges or cause a denial of service (system crash) via unspecified vectors involving "Model-Specific Registers."

Affected

1 ranges
VendorProductVersion rangeFixed in
sisoftwaresandra<= 16.10.2010.1

Detection & IOCsextracted from sources · hover to see the quote

hash9a237fa07ce3ed06ea924a9bed4a6b99
filenameSandra.sys
  • Detect Sandra.sys (MD5: 9a237fa07ce3ed06ea924a9bed4a6b99) loaded as a driver; its presence indicates exploitation of CVE-2010-1592 by the Slingshot APT rootkit to bypass x64 Driver Signing Protection.
  • Use Tenable Plugin 108411 (Malicious Process Detection: Authenticode Microsoft Manufacturer) to identify unsigned or tampered Microsoft DLLs indicative of Slingshot infection.
  • Monitor for ipv4.dll being downloaded from MikroTik routers via Winbox and loaded on endpoints, as this is the initial Slingshot dropper DLL.
  • ·CVE-2010-1592 affects sandra.sys version 15.18.1.1 and earlier, part of SiSoftware Sandra 16.10.2010.1 and earlier; exploitation is local (requires local access) and targets Model-Specific Registers.
  • ·The Slingshot APT exploited CVE-2010-1592 specifically to bypass x64 Driver Signing Protection as part of a multi-stage rootkit implantation chain; the driver was abused rather than being the primary payload.

CVSS provenance

nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.