cbcvebase.
CVE-2015-2291
published 2017-08-09

CVE-2015-2291: (1) IQVW32.sys before 1.3.1.0 and (2) IQVW64.sys before 1.3.1.0 in the Intel Ethernet diagnostics driver for Windows allows local users to cause a denial of…

PriorityP181high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2023-03-03
Exploited in the wild
EPSS
9.01%
94.6th percentile
(1) IQVW32.sys before 1.3.1.0 and (2) IQVW64.sys before 1.3.1.0 in the Intel Ethernet diagnostics driver for Windows allows local users to cause a denial of service or possibly execute arbitrary code with kernel privileges via a crafted (a) 0x80862013, (b) 0x8086200B, (c) 0x8086200F, or (d) 0x80862007 IOCTL call.

Affected

2 ranges
VendorProductVersion rangeFixed in
intelethernet_diagnostics_driver_iqvw32.sys
intelethernet_diagnostics_driver_iqvw64.sys

Detection & IOCsextracted from sources · hover to see the quote

filenameiqvw64.sys
filenameIQVW32.sys
otherIOCTL 0x80862013
otherIOCTL 0x8086200B
otherIOCTL 0x8086200F
otherIOCTL 0x80862007
  • Hunt for loading of iqvw64.sys or IQVW32.sys drivers with versions prior to 1.3.1.0, which are the vulnerable Intel Ethernet diagnostics drivers exploited via BYOVD technique.
  • Alert on crafted IOCTL calls to iqvw64.sys/IQVW32.sys using codes 0x80862013, 0x8086200B, 0x8086200F, or 0x80862007 — these are the specific IOCTL codes used to trigger the vulnerability.
  • Monitor for use of KDMapper or similar tools that map non-signed drivers into memory via BYOVD, as this is the publicly available tool used to exploit the vulnerable Intel driver.
  • Detect attempts to overwrite kernel driver routines with trampoline code — the malicious driver in this campaign targeted the CrowdStrike Falcon sensor driver specifically.
  • Monitor for use of self-signed or stolen code-signing certificates originally issued to NVIDIA and Global Software LLC, used by Scattered Spider to sign malicious drivers.
  • In the Enigma Stealer campaign exploiting CVE-2015-2291, the Intel driver vulnerability was used to load a malicious driver designed to reduce the token integrity of Microsoft Defender — monitor for token integrity manipulation of AV/EDR processes.
  • Monitor Windows registry hives for tampering by Scattered Spider attempting to bypass endpoint tools including Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne.
  • ·The vulnerable driver versions are strictly those prior to 1.3.1.0 — detection rules should version-gate on IQVW32.sys and IQVW64.sys below this threshold to avoid false positives on patched systems.
  • ·The BYOVD gap persists because Microsoft does not block vulnerable drivers by default, meaning even patched environments may be at risk if the old driver is re-introduced by an attacker.
  • ·The Enigma Stealer campaign IOCs (IP 193.56.146.29, hashes) are associated with a separate threat actor (suspected Russian) also exploiting CVE-2015-2291, distinct from Scattered Spider — attribute carefully.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.