cbcvebase.
CVE-2016-3368
published 2016-09-14

CVE-2016-3368: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10…

PriorityP262high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
18.33%
96.9th percentile
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allow remote authenticated users to execute arbitrary code by leveraging a domain account to make a crafted request, aka "Windows Remote Code Execution Vulnerability."

Affected

16 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

  • Exploitation requires a domain user account to send a specially crafted request to a Windows host; monitor for anomalous authenticated RPC/LDAP/SMB requests from domain accounts targeting Windows systems, particularly those resulting in elevated privilege execution.
  • The vulnerability is triggered via Windows object handling in memory; monitor for unexpected privileged process spawning (elevated permissions) following inbound authenticated network requests on domain-joined Windows systems.
  • Affected platforms span Vista SP2 through Windows 10 1607 and Server 2008 through 2012 R2; prioritize detection on unpatched systems missing KB3184471, KB3185611, KB3193494, KB3185614, or KB3189866.
  • ·Exploit status is publicly disclosed: No and exploited: No at time of advisory; exploitation assessed as 'Less Likely' for both latest and older software releases, reducing urgency but not eliminating risk.
  • ·No concrete IOCs (hashes, IPs, domains, signatures) are present in the available sources; detection must rely on behavioral indicators (domain-authenticated crafted requests leading to elevated code execution) rather than static indicators.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_msrc7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.