cbcvebase.
CVE-2015-2546
published 2015-09-09

CVE-2015-2546: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and…

PriorityP182high8.2CVSS 3.1
AVLACLPRLUIRSCCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-05
Exploited in the wild
EPSS
10.93%
95.3th percentile
The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows local users to gain privileges via a crafted application, aka "Win32k Memory Corruption Elevation of Privilege Vulnerability," a different vulnerability than CVE-2015-2511, CVE-2015-2517, and CVE-2015-2518.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2015-2546 (Win32k Memory Corruption EoP) was detected being exploited in the wild at the time of the September 2015 Patch Tuesday release; monitor for local privilege escalation attempts via crafted applications targeting the Win32k kernel-mode driver.
  • CVE-2015-2546 is addressed by Microsoft bulletin MS15-097 (Windows GDI+); prioritize detection of exploitation attempts on all Windows versions including Windows 10.
  • The vulnerability is exploited via a crafted local application targeting the Win32k kernel-mode driver; detection should focus on suspicious local processes attempting privilege escalation through Win32k.
  • ·CVE-2015-2546 is a local privilege escalation only; an attacker must already have local access to the machine before exploiting this vulnerability.
  • ·This vulnerability is distinct from CVE-2015-2511, CVE-2015-2517, and CVE-2015-2518, which are separate Win32k memory corruption EoP issues patched in the same bulletin cycle.

CVSS provenance

nvdv3.18.2HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.2HIGH
cisa8.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.