cbcvebase.
CVE-2015-0016
published 2015-01-13

CVE-2015-0016: Directory traversal vulnerability in the TS WebProxy (aka TSWbPrxy) component in Microsoft Windows Vista SP2, Windows 7 SP1, Windows Server 2008 R2 SP1…

PriorityP185high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
75.94%
99.5th percentile
Directory traversal vulnerability in the TS WebProxy (aka TSWbPrxy) component in Microsoft Windows Vista SP2, Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to gain privileges via a crafted pathname in an executable file, as demonstrated by a transition from Low Integrity to Medium Integrity, aka "Directory Traversal Elevation of Privilege Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

path%WINDIR%\System32\TSWbPrxy.exe
path%TEMP%\cve-2015-0016.dll
filenamecve-2015-0016.dll
registryPSHCMD (environment variable set via SetEnvironmentVariableA)
processTSWbPrxy.exe
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b643)"; flow:established,to_client; flowbits:set,SunDown.EK; file.data; content:"9xb4GwTUbwUQoyD09AFIox7g9y6"; classtype:exploit-kit; sid:2023279; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, confidence High, signature_severity Major, tag Exploit_Kit_Sundown, tag CISA_KEV, updated_at 2024_03_14;)
bytes
9xb4GwTUbwUQoyD09AFIox7g9y6
  • Monitor for TSWbPrxy.exe spawning unexpected child processes, especially PowerShell, as the exploit abuses TSWbPrxy.exe to escape IE Protected Mode (Low Integrity) and execute code at Medium Integrity.
  • Detect the drop and load of cve-2015-0016.dll into the TEMP directory, which is the exploit DLL uploaded by the Metasploit module during exploitation.
  • Alert on processes transitioning from Low Integrity to Medium Integrity level, particularly those involving TSWbPrxy.exe, as this is the specific privilege escalation path described for this CVE.
  • Use the Emerging Threats Snort/Suricata rule SID 2023279 to detect SunDown Exploit Kit delivering CVE-2015-0016 payloads in HTTP responses via the content string '9xb4GwTUbwUQoyD09AFIox7g9y6'.
  • Monitor for the environment variable 'PSHCMD' being set via kernel32.SetEnvironmentVariableA, which is used by the exploit to stage the PowerShell payload before execution.
  • ·The Metasploit module only targets 32-bit Windows 7 SP1 and prior; it explicitly fails on Windows 8/2012, limiting the exploit's automated applicability despite the CVE affecting a broader OS range.
  • ·The exploit requires an existing Meterpreter session running at Low Integrity (IE Protected Mode); it is a local privilege escalation, not a remote code execution vector on its own.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.