CVE-2015-2291
published 2017-08-09CVE-2015-2291: (1) IQVW32.sys before 1.3.1.0 and (2) IQVW64.sys before 1.3.1.0 in the Intel Ethernet diagnostics driver for Windows allows local users to cause a denial of…
PriorityP181high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2023-03-03
Exploited in the wild
EPSS
9.01%
94.6th percentile
(1) IQVW32.sys before 1.3.1.0 and (2) IQVW64.sys before 1.3.1.0 in the Intel Ethernet diagnostics driver for Windows allows local users to cause a denial of service or possibly execute arbitrary code with kernel privileges via a crafted (a) 0x80862013, (b) 0x8086200B, (c) 0x8086200F, or (d) 0x80862007 IOCTL call.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| intel | ethernet_diagnostics_driver_iqvw32.sys | — | — |
| intel | ethernet_diagnostics_driver_iqvw64.sys | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Hunt for loading of iqvw64.sys or IQVW32.sys drivers with versions prior to 1.3.1.0, which are the vulnerable Intel Ethernet diagnostics drivers exploited via BYOVD technique.
- →Alert on crafted IOCTL calls to iqvw64.sys/IQVW32.sys using codes 0x80862013, 0x8086200B, 0x8086200F, or 0x80862007 — these are the specific IOCTL codes used to trigger the vulnerability. ↗
- →Monitor for use of KDMapper or similar tools that map non-signed drivers into memory via BYOVD, as this is the publicly available tool used to exploit the vulnerable Intel driver. ↗
- →Detect attempts to overwrite kernel driver routines with trampoline code — the malicious driver in this campaign targeted the CrowdStrike Falcon sensor driver specifically. ↗
- →Monitor for use of self-signed or stolen code-signing certificates originally issued to NVIDIA and Global Software LLC, used by Scattered Spider to sign malicious drivers. ↗
- →In the Enigma Stealer campaign exploiting CVE-2015-2291, the Intel driver vulnerability was used to load a malicious driver designed to reduce the token integrity of Microsoft Defender — monitor for token integrity manipulation of AV/EDR processes. ↗
- →Monitor Windows registry hives for tampering by Scattered Spider attempting to bypass endpoint tools including Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne. ↗
- ·The vulnerable driver versions are strictly those prior to 1.3.1.0 — detection rules should version-gate on IQVW32.sys and IQVW64.sys below this threshold to avoid false positives on patched systems. ↗
- ·The BYOVD gap persists because Microsoft does not block vulnerable drivers by default, meaning even patched environments may be at risk if the old driver is re-introduced by an attacker. ↗
- ·The Enigma Stealer campaign IOCs (IP 193.56.146.29, hashes) are associated with a separate threat actor (suspected Russian) also exploiting CVE-2015-2291, distinct from Scattered Spider — attribute carefully. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Intel Ethernet Diagnostics Driver for Windows Denial-of-Service Vulnerability
cisa·2023-02-10·CVSS 7.8
CVE-2015-2291 [HIGH] CWE-20 Intel Ethernet Diagnostics Driver for Windows Denial-of-Service Vulnerability
Vulnerability: Intel Ethernet Diagnostics Driver for Windows Denial-of-Service Vulnerability
Affected: Intel Ethernet Diagnostics Driver for Windows
Intel ethernet diagnostics driver for Windows IQVW32.sys and IQVW64.sys contain an unspecified vulnerability that allows for a denial-of-service (DoS).
Required Action: Apply updates per vendor instructions.
Notes: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00051.html; https://nvd.nist.gov/vuln/detail/CVE-2015-2291
Remediation Due Date: 2023-03-03
GHSA
GHSA-4w4w-866c-5vgg: (1) IQVW32
ghsa_unreviewed·2022-05-17
CVE-2015-2291 [HIGH] CWE-20 GHSA-4w4w-866c-5vgg: (1) IQVW32
(1) IQVW32.sys before 1.3.1.0 and (2) IQVW64.sys before 1.3.1.0 in the Intel Ethernet diagnostics driver for Windows allows local users to cause a denial of service or possibly execute arbitrary code with kernel privileges via a crafted (a) 0x80862013, (b) 0x8086200B, (c) 0x8086200F, or (d) 0x80862007 IOCTL call.
VulnCheck
Intel Ethernet Diagnostics Driver for Windows Denial-of-Service Vulnerability
vulncheck·2015·CVSS 7.8
CVE-2015-2291 [HIGH] CWE-20 Intel Ethernet Diagnostics Driver for Windows Denial-of-Service Vulnerability
Intel Ethernet Diagnostics Driver for Windows Denial-of-Service Vulnerability
Intel ethernet diagnostics driver for Windows IQVW32.sys and IQVW64.sys contain an unspecified vulnerability that allows for a denial-of-service (DoS).
Affected: Intel Ethernet Diagnostics Driver for Windows
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf; https://www.trellix.com/en-us/about/newsroom/stories/research/scattered-spider-the-modus-operandi.html; htt
No detection rules found.
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Understanding the Impact of Scattered Spider on the Airline & Transportation Industry
blogs_qualys·2025-07-21·CVSS 7.8
[HIGH] Understanding the Impact of Scattered Spider on the Airline & Transportation Industry
## Table of Contents
What is Scattered Spider?
Airline Industry Asset Risks:
Insights from the Threat Research Unit and Key Findings:
Key Impacts and Recommendations:
Measure, Communicate, and Eliminate Your Risk from Scattered Spider with Qualys
In June, the FBI publicly warned that Scattered Spider is actively targeting the aviation and transportation sectors, including well-known airlines and their third-party IT vendors. In this post, we will provide a brief overview of Scattered Spider, insights gathered by our research team into the vulnerabilities they target, and how organizations can protect themselves.
## What is Scattered Spider?
Scattered Spider is a financially motivated hacking collective (also known as UNC3944, Octo Tempest, Scatter Swine, and Star Fraud), mostly com
Qualys
Understanding the Impact of Scattered Spider on the Airline & Transportation Industry | Qualys
blogs_qualys·2025-07-21·CVSS 7.8
[HIGH] Understanding the Impact of Scattered Spider on the Airline & Transportation Industry | Qualys
#### Table of Contents
- What is Scattered Spider?
- Airline Industry Asset Risks:
- Insights from the Threat Research Unit and Key Findings:
- Key Impacts and Recommendations:
- Measure, Communicate, and Eliminate Your Risk from Scattered Spider with Qualys
In June, the FBI publicly warned that Scattered Spider is actively targeting the aviation and transportation sectors, including well-known airlines and their third-party IT vendors. In this post, we will provide a brief overview of Scattered Spider, insights gathered by our research team into the vulnerabilities they target, and how organizations can protect themselves.
## What is Scattered Spider?
Scattered Spider is a financially motivated hacking collective (also known as UNC3944, Octo Tempest, Scatter Swine, and Star Fraud), mo
Trendmicro
Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs
blogs_trendmicro·2023-02-09·CVSS 7.8
[HIGH] Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs
Malware
# Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs
We discovered an active campaign targeting Eastern Europeans in the cryptocurrency industry using fake job lures.
By: Aliakbar Zahravi, Peter Girnus
2023/02/09
Read time: ( words)
Save to Folio
We recently found an active campaign that uses a fake employment pretext targeting Eastern Europeans in the cryptocurrency industry to install an information stealer. In this campaign, the suspected Russian threat actors use several highly obfuscated and under-development custom loaders to infect those involved in the cryptocurrency industry with the Enigma Stealer (detected as TrojanSpy.MSIL.ENIGMASTEALER.YXDBC), a modified version of the Stealerium information stealer. In addition to these loaders, the attacker also expl
Trendmicro
Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs
blogs_trendmicro·2023-02-09·CVSS 7.8
[HIGH] Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs
Malware
## Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs
We discovered an active campaign targeting Eastern Europeans in the cryptocurrency industry using fake job lures.
By: Aliakbar Zahravi, Peter Girnus Feb 09, 2023 Read time: ( words)
Save to Folio
We recently found an active campaign that uses a fake employment pretext targeting Eastern Europeans in the cryptocurrency industry to install an information stealer. In this campaign, the suspected Russian threat actors use several highly obfuscated and under-development custom loaders to infect those involved in the cryptocurrency industry with the Enigma Stealer (detected as TrojanSpy.MSIL.ENIGMASTEALER.YXDBC), a modified version of the Stealerium information stealer. In addition to these loaders, the attacker also ex
Trendmicro
Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs
blogs_trendmicro·2023-02-09·CVSS 7.8
[HIGH] Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs
Malware
## Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs
We discovered an active campaign targeting Eastern Europeans in the cryptocurrency industry using fake job lures.
By: Aliakbar Zahravi, Peter Girnus 2023/02/09 Read time: ( words)
Save to Folio
We recently found an active campaign that uses a fake employment pretext targeting Eastern Europeans in the cryptocurrency industry to install an information stealer. In this campaign, the suspected Russian threat actors use several highly obfuscated and under-development custom loaders to infect those involved in the cryptocurrency industry with the Enigma Stealer (detected as TrojanSpy.MSIL.ENIGMASTEALER.YXDBC), a modified version of the Stealerium information stealer. In addition to these loaders, the attacker also expl
Threat Intel
Scattered Spider (Scattered Spider, Roasted 0ktapus, Octo Tempest)
threat_intel
Scattered Spider (Scattered Spider, Roasted 0ktapus, Octo Tempest)
# Threat Actor Profile: Scattered Spider
ATT&CK ID: G1015
Also known as: Scattered Spider, Roasted 0ktapus, Octo Tempest, Storm-0875, UNC3944
## Overview
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. (Citation: MSTIC Octo Tempest Operations October 2023)
Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk
Crowdstrike
SCATTERED SPIDER Attempts to Avoid Detection with Bring-Your-Own-Driver Tactic
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] SCATTERED SPIDER Attempts to Avoid Detection with Bring-Your-Own-Driver Tactic
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Crowdstrike
SCATTERED SPIDER Attempts to Avoid Detection with Bring-Your-Own-Driver Tactic
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] SCATTERED SPIDER Attempts to Avoid Detection with Bring-Your-Own-Driver Tactic
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
http://packetstormsecurity.com/files/130854/Intel-Network-Adapter-Diagnostic-Driver-IOCTL-DoS.htmlhttp://www.securityfocus.com/bid/79623https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00051&languageid=en-frhttps://www.exploit-db.com/exploits/36392/http://packetstormsecurity.com/files/130854/Intel-Network-Adapter-Diagnostic-Driver-IOCTL-DoS.htmlhttp://www.securityfocus.com/bid/79623https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00051&languageid=en-frhttps://www.exploit-db.com/exploits/36392/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-2291
2017-08-09
Published
2023-02-10
Added to CISA KEV
Exploited in the wild