Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2015-2459 — Improper Input Validation in Microsoft Windows Server 2008

CWE-20 — Improper Input Validation8 documents4 sources

Severity

9.3CRITICALNVD

EPSS

54.7%

top 1.96%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Microsoft Windows Server 2008 Microsoft Windows Server 2012

Timeline

PublishedAug 15

Latest updateMay 14

Description

ATMFD.DLL in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Parsing Vulnerability," a different vulnerability than CVE-2015-2458 and CVE-2015-2461.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages1 packages

▶NVDmicrosoft/windowsr2

Patches

Patch: docs.microsoft.com ↗Patch: docs.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-jvrr-j3q9-qv8w: ATMFD↗2022-05-14

▶

GHSA

GHSA-w5xx-wqgc-vg9r: ATMFD↗2022-05-14

▶

GHSA

GHSA-244f-jjf4-gvqg: ATMFD↗2022-05-14

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Windows - 'ATMFD.DLL' CFF table (ATMFD+0x34072 / ATMFD+0x3407b) Invalid Memory Access↗2015-08-21

▶

Nuclei

Combodo iTop <2.2.0-2459 - Cross-Site Scripting

▶