cbcvebase.
CVE-2015-2426
published 2015-07-20

CVE-2015-2426: Buffer underflow in atmfd.dll in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1…

PriorityP192high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
86.69%
99.7th percentile
Buffer underflow in atmfd.dll in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Driver Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

filenameatmfd.dll
  • Monitor for hidden spawning of notepad.exe from a Meterpreter/non-interactive session context — the exploit launches notepad.exe as a hidden process to host reflective DLL injection.
  • Detect reflective DLL injection of a file named reflective_dll.x64.dll dropped under a path containing 'CVE-2015-2426'.
  • The exploit targets atmfd.dll (Windows Adobe Type Manager Library) via a pool-based buffer overflow triggered by parsing a malformed OpenType font; alert on unusual kernel pool activity or crashes in atmfd.dll.
  • The exploit uses ROP gadgets within win32k.sys and ntoskrnl.exe; monitor for unexpected cross-process memory writes into win32k.sys or ntoskrnl.exe address space from user-mode processes.
  • ·The Metasploit module only supports Windows 8.1 x64 and specific win32k.sys/ntoskrnl.exe build versions (6.3.9600.17415, 17630, 17668, 17694, 17796, 17837, 17915, 17936); exploitation against other builds will fail version checks.
  • ·The module requires an existing Meterpreter session and will abort if the session is already SYSTEM or if running under WOW64.
  • ·ROP chain offsets are hardcoded per specific win32k.sys and ntoskrnl.exe build versions; if the target build is not in the supported list, the module returns CheckCode::Detected or CheckCode::Unknown and will not proceed.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.