cbcvebase.
CVE-2016-0051
published 2016-02-10

CVE-2016-0051: The WebDAV client in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT…

PriorityP278high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
23.38%
97.5th percentile
The WebDAV client in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "WebDAV Elevation of Privilege Vulnerability."

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

pathdata/exploits/cve-2016-0051/cve-2016-0051.x86.dll
filenamecve-2016-0051.x86.dll
filenameshellcode.dll
processnotepad.exe
commandNtFsControlFile with fsControlCode 0x900DB
ip127.0.0.1
  • Exploit targets mrxdav.sys (WebDAV kernel driver) on Windows 7 SP1 x86 only; 64-bit and WOW64 processes are explicitly unsupported and will fail
  • Exploit spawns notepad.exe as a host process for reflective DLL injection; monitor for notepad.exe spawning from unusual parent processes or loading unexpected DLLs
  • Exploit uses reflective DLL injection of cve-2016-0051.x86.dll into a spawned process; detect reflective DLL injection patterns or the specific DLL name on disk
  • Exploit creates a fake WebDAV server on a random high port (1024–65535) on loopback and uses WNetAddConnection2 to connect to \\127.0.0.1@<port>\folder\; monitor for WebDAV connections to loopback addresses
  • Exploit calls NtFsControlFile with FSCTL code 0x900DB against a WebDAV file handle; this specific FSCTL code is the trigger for the privilege escalation vulnerability
  • Exploit allocates memory at fixed low address 0x1000 using NtAllocateVirtualMemory (NULL-page style allocation); detect low virtual address allocations in user-mode processes
  • Whitefly threat actor (G0107) used an open-source tool exploiting CVE-2016-0051 for privilege escalation on unpatched Windows systems in targeted espionage campaigns
  • Successful exploitation results in NT AUTHORITY\SYSTEM; monitor for unexpected SYSTEM-level process creation (e.g., cmd.exe spawned as SYSTEM from a non-SYSTEM parent)
  • ·Metasploit module only supports Windows 7 SP1 x86; explicitly fails against 64-bit and WOW64 targets
  • ·Exploit requires an existing Meterpreter session (local privilege escalation only, not remote code execution)
  • ·PoC C# exploit requires shellcode.dll to be present alongside the executable on the target machine
  • ·Running the exploit from a shell (non-RDP) session causes the privileged shell to spawn in a new GUI window, not in the current session

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.