CVE-2015-2546
published 2015-09-09CVE-2015-2546: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and…
PriorityP182high8.2CVSS 3.1
AVLACLPRLUIRSCCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-05
Exploited in the wild
EPSS
10.93%
95.3th percentile
The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows local users to gain privileges via a crafted application, aka "Win32k Memory Corruption Elevation of Privilege Vulnerability," a different vulnerability than CVE-2015-2511, CVE-2015-2517, and CVE-2015-2518.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2015-2546 (Win32k Memory Corruption EoP) was detected being exploited in the wild at the time of the September 2015 Patch Tuesday release; monitor for local privilege escalation attempts via crafted applications targeting the Win32k kernel-mode driver. ↗
- →CVE-2015-2546 is addressed by Microsoft bulletin MS15-097 (Windows GDI+); prioritize detection of exploitation attempts on all Windows versions including Windows 10. ↗
- →The vulnerability is exploited via a crafted local application targeting the Win32k kernel-mode driver; detection should focus on suspicious local processes attempting privilege escalation through Win32k. ↗
- ·CVE-2015-2546 is a local privilege escalation only; an attacker must already have local access to the machine before exploiting this vulnerability. ↗
- ·This vulnerability is distinct from CVE-2015-2511, CVE-2015-2517, and CVE-2015-2518, which are separate Win32k memory corruption EoP issues patched in the same bulletin cycle. ↗
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.2HIGH
cisa8.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Microsoft Windows Vista SP2 up to Server 2012 R2 Kernel-Mode Driver win32k.sys memory corruption (MS15-097 / Nessus ID 85877)
vuldb·2026-04-22·CVSS 8.2
CVE-2015-2546 [HIGH] Microsoft Windows Vista SP2 up to Server 2012 R2 Kernel-Mode Driver win32k.sys memory corruption (MS15-097 / Nessus ID 85877)
A vulnerability, which was classified as problematic, was found in Microsoft Windows Vista SP2 up to Server 2012 R2. This affects an unknown function in the library win32k.sys of the component Kernel-Mode Driver. The manipulation results in memory corruption.
This vulnerability is identified as CVE-2015-2546. The attack is only possible with local access. Additionally, an exploit exists.
It is best practice to apply a patch to resolve this issue.
GHSA
GHSA-5c8h-c2cj-96mm: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8
ghsa_unreviewed·2022-05-14·CVSS 6.9
CVE-2015-2546 [MEDIUM] CWE-119 GHSA-5c8h-c2cj-96mm: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8
The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows local users to gain privileges via a crafted application, aka "Win32k Memory Corruption Elevation of Privilege Vulnerability," a different vulnerability than CVE-2015-2511, CVE-2015-2517, and CVE-2015-2518.
GHSA
GHSA-gg7p-gv8f-3f34: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8
ghsa_unreviewed·2022-05-14·CVSS 6.9
CVE-2015-2518 [MEDIUM] GHSA-gg7p-gv8f-3f34: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8
The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows local users to gain privileges via a crafted application, aka "Win32k Memory Corruption Elevation of Privilege Vulnerability," a different vulnerability than CVE-2015-2511, CVE-2015-2517, and CVE-2015-2546.
GHSA
GHSA-45vm-92vp-645q: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8
ghsa_unreviewed·2022-05-14·CVSS 6.9
CVE-2015-2511 [MEDIUM] CWE-119 GHSA-45vm-92vp-645q: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8
The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows local users to gain privileges via a crafted application, aka "Win32k Memory Corruption Elevation of Privilege Vulnerability," a different vulnerability than CVE-2015-2517, CVE-2015-2518, and CVE-2015-2546.
GHSA
GHSA-w4g3-mf84-xf67: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8
ghsa_unreviewed·2022-05-14·CVSS 6.9
CVE-2015-2517 [MEDIUM] GHSA-w4g3-mf84-xf67: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8
The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows local users to gain privileges via a crafted application, aka "Win32k Memory Corruption Elevation of Privilege Vulnerability," a different vulnerability than CVE-2015-2511, CVE-2015-2518, and CVE-2015-2546.
VulnCheck
Microsoft Win32k Memory Corruption Vulnerability
vulncheck·2015·CVSS 8.2
CVE-2015-2546 [HIGH] CWE-119 Microsoft Win32k Memory Corruption Vulnerability
Microsoft Win32k Memory Corruption Vulnerability
The kernel-mode driver in Microsoft Windows OS and Server allows local users to gain privileges via a crafted application.
Affected: Microsoft Win32k
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html; http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf; https://dl.acm.org/doi/pdf/10.1145/3465481.3465758; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vuln
CISA
Microsoft Win32k Memory Corruption Vulnerability
cisa·2022-03-15·CVSS 8.2
CVE-2015-2546 [HIGH] CWE-119 Microsoft Win32k Memory Corruption Vulnerability
Vulnerability: Microsoft Win32k Memory Corruption Vulnerability
Affected: Microsoft Win32k
The kernel-mode driver in Microsoft Windows OS and Server allows local users to gain privileges via a crafted application.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2015-2546
Remediation Due Date: 2022-04-05
No detection rules found.
No public exploits indexed.
Tenable
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
blogs_tenable·2022-03-24
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
blogs_checkpoint·2020-10-02
CVE-2019-0859 Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints
Research by: Itay Cohen, Eyal Itkin
In the past months, our Vulnerability and Malware Research tea
Securelist
A Modern Hypervisor as a Basis for a Sandbox
blogs_securelist·2017-09-19·CVSS 8.2
CVE-2015-2546 [HIGH] A Modern Hypervisor as a Basis for a Sandbox
Table of Contents
The infrastructure
The internal structure
Object processing and artifacts
The logging subsystem
Anti-evasion
Vault 7 evasion methods
Heuristic search for exploits
CVE-2015-2546
BlackEnergy in the sandbox
Conclusions
Authors
Vyacheslav Rusakov
Vladislav Pintiysky
In the field of information security, sandboxes are used to isolate an insecure external environment from a secure internal environment (or vice versa), to protect against the exploitation of vulnerabilities, and to analyze malicious code. At Kaspersky Lab, we have several sandboxes, including an Android sandbox. In this article, we will look at just one of them that was customized to serve the needs of a specific product and became the basis of Kaspersky Anti Targeted Attack Platform . This particul
Qualys
Patch Tuesday September 2015 | Qualys
blogs_qualys·2015-09-08·CVSS 8.2
[HIGH] Patch Tuesday September 2015 | Qualys
Hello to Patch Tuesday September 2015 : We are ¾ through the year and have broken the 100 bulletin mark with this months 12 additions. We are now projecting over a 145 bulletins until the end of the year, a bit higher than our initial projection from May when said we would be seeing just over 140 bulletins this year.
Some of the growth can be attributed to new products, for example this month’s MS15-095 is for Microsoft’s Edge browser (four critical vulnerabilities) that did not exist before the introduction of Windows 10. But the real reason for the rise in bulletins is probably the rising attention that computer security is getting which makes looking at computer security issues a valid career choice for more and more professionals. Recent data breaches at OPM, Target and Ashley Madison
Qualys
Patch Tuesday September 2015 | Qualys
blogs_qualys·2015-09-08·CVSS 8.2
[HIGH] Patch Tuesday September 2015 | Qualys
Hello to Patch Tuesday September 2015: We are ¾ through the year and have broken the 100 bulletin mark with this months 12 additions. We are now projecting over a 145 bulletins until the end of the year, a bit higher than our initial projection from May when said we would be seeing just over 140 bulletins this year.
Some of the growth can be attributed to new products, for example this month’s MS15-095 is for Microsoft’s Edge browser (four critical vulnerabilities) that did not exist before the introduction of Windows 10. But the real reason for the rise in bulletins is probably the rising attention that computer security is getting which makes looking at computer security issues a valid career choice for more and more professionals. Recent data breaches at OPM, Target and Ashley Madison
Krebs
Microsoft Pushes a Dozen Security Updates
blogs_krebs·2015-09-08·CVSS 9.3
[CRITICAL] Microsoft Pushes a Dozen Security Updates
Microsoft today released a dozen security updates for computers running supported versions of its Windows operating system. Five of the patches fix flaws that could get PCs compromised with little to no help from users, and five of the bulletins have vulnerabilities that were publicly disclosed before today (including one that reportedly has been detected in exploits in the wild). Separately, Adobe is pushing a security update for its Shockwave Player – a browser plugin that I’ve long urged readers to junk.
According to security firm Shavlik, the patches that address flaws which have already been publicly disclosed include a large Internet Explorer (IE) update that corrects 17 flaws and a fix for Microsoft Edge, Redmond’s flagship replacement browser for IE; both address this bug, among o
Krebs
Microsoft Pushes a Dozen Security Updates – Krebs on Security
blogs_krebs·2015-09-01·CVSS 9.3
[CRITICAL] Microsoft Pushes a Dozen Security Updates – Krebs on Security
Microsoft today released a dozen security updates for computers running supported versions of its Windows operating system. Five of the patches fix flaws that could get PCs compromised with little to no help from users, and f ive of the bulletins have vulnerabilities that were publicly disclosed before today (including one that reportedly has been detected in exploits in the wild). Separately, Adobe is pushing a security update for its Shockwave Player – a browser plugin that I’ve long urged readers to junk.
According to security firm Shavlik , the patches that address flaws which have already been publicly disclosed include a large Internet Explorer (IE) update that corrects 17 flaws and a fix for Microsoft Edge , Redmond’s flagship replacement browser for IE; both address this bug , amo
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
http://www.securityfocus.com/bid/76608http://www.securitytracker.com/id/1033485https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-097http://www.securityfocus.com/bid/76608http://www.securitytracker.com/id/1033485https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-097https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-2546
2015-09-09
Published
2022-03-15
Added to CISA KEV
Exploited in the wild