CVE-2016-0151
published 2016-04-12CVE-2016-0151: The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mismanages…
PriorityP186high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
63.20%
99.1th percentile
The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mismanages process tokens, which allows local users to gain privileges via a crafted application, aka "Windows CSRSS Security Feature Bypass Vulnerability."
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10_for_32-bit_systems | — | — |
| msrc | windows_10_for_x64-based_systems | — | — |
| msrc | windows_10_version_1511_for_32-bit_systems | — | — |
| msrc | windows_10_version_1511_for_x64-based_systems | — | — |
| msrc | windows_8.1_for_32-bit_systems | — | — |
| msrc | windows_8.1_for_x64-based_systems | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Hook of CsrClientCallServer in kernel32.dll's IAT (patching ntdll.dll import) is a key exploit behaviour; monitor for IAT patching of kernel32.dll targeting ntdll!CsrClientCallServer at runtime. ↗
- →Exploit calls ImpersonateAnonymousToken on the current thread immediately before invoking CsrClientCallServer with opcode 0x10010005 (BaseSrvCheckVDM); detect ImpersonateAnonymousToken followed by CsrClientCallServer calls from non-system processes. ↗
- →Exploit spawns a 16-bit executable (edit.com) to trigger the BaseSrvCheckVDM CSRSS RPC path; alert on CreateProcess calls for edit.com or other 16-bit executables from non-legacy contexts on 32-bit Windows 8.1/10. ↗
- →Exploit uses NtGetNextProcess with MAXIMUM_ALLOWED to enumerate all processes after impersonating the anonymous token; detect NtGetNextProcess calls from user-mode processes combined with prior anonymous token impersonation. ↗
- →Exploit modifies the anonymous token's DefaultDacl using the SDDL string granting GA to Everyone (WD) and Anonymous (AN) before passing it as the process token; this SDDL pattern is a strong indicator of exploitation. ↗
- →Exploit directly manipulates the TEB (fs:[0x18] + 0x20) to overwrite the process ID field, enabling session-0 process creation abuse; this inline assembly pattern in user-mode code is highly suspicious. ↗
- ·The exploit only works on 32-bit Windows; it explicitly exits if running under WOW64 or on 64-bit Windows. ↗
- ·The vulnerability is exploitable only when the VDM (Virtual DOS Machine) is disabled (default on 32-bit Windows 8 and above), which causes CSRSS to spawn the helper process that triggers the vulnerable code path. ↗
- ·Exploitation requires the attacker to already be logged on locally; this is a local privilege escalation, not a remote vector. ↗
- ·The PoC was tested on Windows 8.1 only; behaviour on Windows 10 or Windows 7 was not confirmed by the researcher. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Microsoft Windows up to Server 2012 R2 CSRSS access control (MS16-048 / EDB-39740)
vuldb·2026-04-23·CVSS 7.8
CVE-2016-0151 [HIGH] Microsoft Windows up to Server 2012 R2 CSRSS access control (MS16-048 / EDB-39740)
A vulnerability described as problematic has been identified in Microsoft Windows 8.1/10/RT 8.1/Server 2012/Server 2012 R2. This impacts an unknown function of the component CSRSS. Executing a manipulation can lead to improper access controls.
The identification of this vulnerability is CVE-2016-0151. The attack can only be executed locally. Furthermore, there is an exploit available.
A patch should be applied to remediate this issue.
GHSA
GHSA-m2mf-9mv6-9g77: The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8
ghsa_unreviewed·2022-05-14
CVE-2016-0151 [HIGH] CWE-269 GHSA-m2mf-9mv6-9g77: The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8
The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mismanages process tokens, which allows local users to gain privileges via a crafted application, aka "Windows CSRSS Security Feature Bypass Vulnerability."
VulnCheck
Microsoft Windows CSRSS Security Feature Bypass Vulnerability
vulncheck·2016·CVSS 7.8
CVE-2016-0151 [HIGH] CWE-264 Microsoft Windows CSRSS Security Feature Bypass Vulnerability
Microsoft Windows CSRSS Security Feature Bypass Vulnerability
The Client-Server Run-time Subsystem (CSRSS) in Microsoft mismanages process tokens, which allows local users to gain privileges via a crafted application.
Affected: Microsoft Client-Server Run-time Subsystem (CSRSS)
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-04-18
CISA
Microsoft Windows CSRSS Security Feature Bypass Vulnerability
cisa·2022-03-28·CVSS 7.8
CVE-2016-0151 [HIGH] CWE-264 Microsoft Windows CSRSS Security Feature Bypass Vulnerability
Vulnerability: Microsoft Windows CSRSS Security Feature Bypass Vulnerability
Affected: Microsoft Client-Server Run-time Subsystem (CSRSS)
The Client-Server Run-time Subsystem (CSRSS) in Microsoft mismanages process tokens, which allows local users to gain privileges via a crafted application.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2016-0151
Remediation Due Date: 2022-04-18
Microsoft
Windows CSRSS Security Feature Bypass Vulnerability
vendor_msrc·2016-04-12·CVSS 7.8
CVE-2016-0151 [HIGH] Windows CSRSS Security Feature Bypass Vulnerability
Windows CSRSS Security Feature Bypass Vulnerability
Description: A security feature bypass vulnerability exists in Microsoft Windows when the Client-Server Run-time Subsystem (CSRSS) fails to properly manage process tokens in memory.
An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The security update addresses the vulnerability by correcting how Windows manages process tokens in memory.
CSRSS: CSRSS
No detection rules found.
http://www.securitytracker.com/id/1035544https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-048https://www.exploit-db.com/exploits/39740/http://www.securitytracker.com/id/1035544https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-048https://www.exploit-db.com/exploits/39740/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0151
2016-04-12
Published
2022-03-28
Added to CISA KEV
Exploited in the wild