cbcvebase.
CVE-2010-3888
published 2010-10-08

CVE-2010-3888: Unspecified vulnerability in Microsoft Windows on 32-bit platforms allows local users to gain privileges via unknown vectors, as exploited in the wild in July…

PriorityP271high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.93%
89.1th percentile
Unspecified vulnerability in Microsoft Windows on 32-bit platforms allows local users to gain privileges via unknown vectors, as exploited in the wild in July 2010 by the Stuxnet worm, and identified by Kaspersky Lab researchers and other researchers.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

  • Detect privilege escalation attempt: alert on schtasks.exe invocations that include /disable followed immediately by /enable and then /run on the same task name within a short time window — this is the CRC32 collision trigger sequence used by the exploit.
  • Detect PoC-specific task name 'wDw00t' in scheduled task creation or task file path C:\windows\system32\tasks\wDw00t.
  • Detect PoC payload drop: monitor creation of xpl.bat in the %TEMP% directory containing 'net user /add' and 'net localgroup administrators /add' commands.
  • Detect LeastPrivilege-to-HighestAvailable substitution in task XML: file integrity monitoring on task XML files should flag replacement of 'LeastPrivilege' with 'HighestAvailable'.
  • The exploit drops a random-named .exe payload into %TEMP% before scheduling it; monitor for schtasks /create referencing executables under %TEMP% with random alphanumeric names.
  • ·The exploit only works against Windows Vista, Windows 7, and Windows Server 2008; it returns Safe on other OS versions.
  • ·The Metasploit module does not support WOW64 sessions; a 64-bit meterpreter session is required when targeting 64-bit systems.
  • ·The vulnerability relies on the Task Scheduler using only a CRC32 checksum for integrity validation, allowing an attacker with write access to their own task file to forge a valid checksum after modifying privilege fields.

CVSS provenance

nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.