cbcvebase.
CVE-2016-3223
published 2016-06-16

CVE-2016-3223: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10…

PriorityP263high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
21.09%
97.3th percentile
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mishandle LDAP authentication, which allows man-in-the-middle attackers to gain privileges by modifying group-policy update data within a domain-controller data stream, aka "Group Policy Elevation of Privilege Vulnerability."

Affected

14 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

commandgpupdate /target:user /force
commandnet localgroup Administrators
  • Monitor for LDAP authentication traffic between domain members and domain controllers that is NOT protected by Kerberos — the vulnerability stems from mishandled LDAP authentication allowing MitM modification of group-policy update data.
  • Alert on unexpected new local administrator account creation (e.g. 'TestAdmin') via Group Policy User Configuration, especially when the policy originates from an unrecognised or rogue domain controller.
  • Detect forced group policy updates (gpupdate /force) initiated from a standard user session, particularly targeting user policy only (/target:user), which is the exploitation trigger in this attack chain.
  • Monitor for MitM-style ARP/DNS spoofing or rogue DC activity on the network that could redirect group policy LDAP traffic; correlate with subsequent local Administrators group membership changes.
  • ·Exploitation requires the attacker to already know valid domain user credentials and the target machine's FQDN, limiting opportunistic exploitation to scenarios with prior credential access or network reconnaissance.
  • ·Domain-joined systems with Windows Server 2012+ DCs and Windows 8+ clients are protected by Kerberos armoring (FAST) and are NOT vulnerable; detection/patching focus should prioritise older OS combinations.
  • ·The fix enforces Kerberos authentication for the specific LDAP calls used during group policy retrieval; environments that cannot patch should consider enforcing Kerberos armoring (FAST) as a compensating control.
  • ·The attack requires a network connection to a fake/rogue DC to be established after the victim logs in with cached credentials; air-gapping or strict network segmentation can prevent exploitation.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.