cbcvebase.
CVE-2016-3213
published 2016-06-16

CVE-2016-3213: The Web Proxy Auto Discovery (WPAD) protocol implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1…

PriorityP272high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
70.29%
99.3th percentile
The Web Proxy Auto Discovery (WPAD) protocol implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold and 1511, and Internet Explorer 9 through 11 has an improper fallback mechanism, which allows remote attackers to gain privileges via NetBIOS name responses, aka "WPAD Elevation of Privilege Vulnerability."

Affected

19 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcinternet_explorer_11
msrcinternet_explorer_9
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

commandNetBIOS name responses for WPAD
otherPPSRATE ~30000 NetBIOS spoof for WPAD lookup
  • Monitor for NetBIOS name responses (NBT-NS) spoofing the hostname 'WPAD' on the network — high-volume UDP responses to WPAD lookups are a strong indicator of exploitation (BadTunnel/CVE-2016-3213).
  • Detect exploitation attempts via UNC link delivery (HTML or Office attachments) used to trigger the initial NetBIOS request to the attacker-controlled system.
  • Alert on sustained high-rate UDP NetBIOS traffic (port 137) from an external or unexpected source toward internal hosts, especially targeting WPAD name resolution — consistent with the brute-force NAT-tunneling attack pattern.
  • Check hosts file for the workaround entry '255.255.255.255 wpad'; its absence on patched systems or its presence with a different IP may indicate tampering or active exploitation.
  • Verify both MS16-063 and MS16-077 patches are applied; systems missing either update remain exploitable even if one patch is installed.
  • ·The Metasploit auxiliary module 'server/netbios_spoof_nat' implements the BadTunnel brute-force NAT-tunnel spoof for WPAD and is publicly available, lowering the bar for exploitation.
  • ·The attack works through NAT gateways because the stream of NetBIOS responses keeps the NAT mapping alive, making perimeter-only defenses insufficient.
  • ·Microsoft patches (MS16-063/MS16-077) change how the WPAD proxy host is identified but do NOT eliminate the predictability of NetBIOS requests entirely.
  • ·Applying the hosts-file workaround (255.255.255.255 wpad) will break autoproxy discovery, causing applications such as Internet Explorer to fail loading websites.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc8.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.