cbcvebase.
CVE-2016-3228
published 2016-06-16

CVE-2016-3228: Microsoft Windows Server 2008 SP2 and R2 SP1 and Windows Server 2012 Gold and R2 allow remote authenticated users to execute arbitrary code via a crafted…

PriorityP259high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
13.34%
95.9th percentile
Microsoft Windows Server 2008 SP2 and R2 SP1 and Windows Server 2012 Gold and R2 allow remote authenticated users to execute arbitrary code via a crafted NetLogon request, aka "Windows Netlogon Memory Corruption Remote Code Execution Vulnerability."

Affected

9 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_server_2008_for_32-bit_systems_service_pack_2
msrcwindows_server_2008_for_itanium-based_systems_service_pack_2
msrcwindows_server_2008_for_x64-based_systems_service_pack_2
msrcwindows_server_2008_r2_for_itanium-based_systems_service_pack_1
msrcwindows_server_2008_r2_for_x64-based_systems_service_pack_1
msrcwindows_server_2012
msrcwindows_server_2012_r2

Detection & IOCsextracted from sources · hover to see the quote

  • Target attack surface is the NetLogon service on domain controllers; monitor for anomalous or crafted NetLogon requests originating from domain-authenticated users
  • Scope detection to Windows Server roles only (2008 SP2, 2008 R2 SP1, 2012 Gold, 2012 R2); workstation OS is not affected
  • ·Exploitation requires domain authentication; unauthenticated remote exploitation is not possible, reducing external attack surface but elevating insider/lateral-movement risk
  • ·Security update KB3161561 is shared across bulletins MS16-075 and MS16-076; ensure it is only applied once and not double-counted in patch compliance tracking
  • ·As of advisory publication, the vulnerability had not been publicly disclosed or exploited in the wild, but exploitation on older software releases is rated 'Less Likely'

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.