cbcvebase.
CVE-2015-2370
published 2015-07-14

CVE-2015-2370: The authentication implementation in the RPC subsystem in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1…

PriorityP274high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.42%
90.1th percentile
The authentication implementation in the RPC subsystem in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not prevent DCE/RPC connection reflection, which allows local users to gain privileges via a crafted application, aka "Windows RPC Elevation of Privilege Vulnerability."

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37768.zip
filenametrebuchet.exe
filenameMicrosoft.VisualStudio.OLE.Inerop.dll
  • Detect execution of trebuchet.exe or child processes spawning from it, particularly when it is used to copy files into privileged system directories such as C:\Windows\System32\.
  • Monitor for the presence of Microsoft.VisualStudio.OLE.Inerop.dll (note the typo: 'Inerop' not 'Interop') alongside unknown executables; this DLL is a required dependency of the Trebuchet exploit tool.
  • Detect symbolic link / junction creation activity (CreateSymlink tooling) in conjunction with RPC activity, as the exploit chains NTLM reflection with symlink abuse to write files to privileged locations.
  • ·The exploit can only be triggered once every 2-3 minutes due to RPC being held up by LocalSystem; repeated rapid execution attempts will fail, which may affect detection timing thresholds.
  • ·The Trebuchet PoC was tested only on x64/x86 Windows 7 and Windows 8.1; applicability to other affected OS versions listed in the CVE (e.g., Server 2003, Vista, Server 2008/R2, Server 2012) should be independently verified.

CVSS provenance

nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.