CVE-2017-0213
published 2017-05-12CVE-2017-0213: Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1…
PriorityP187high7.3CVSS 3.1
AVLACLPRLUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
84.14%
99.7th percentile
Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when an attacker runs a specially crafted application, aka "Windows COM Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-0214.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| microsoft_corporation | windows_com | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1703 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2017-0213 is exploited for local privilege escalation via Windows COM Aggregate Marshaler type confusion; monitor for exploitation of BITS SetNotifyInterface with mismatched IID/OBJREF streams, and for type library loading under impersonation context. ↗
- →APT33 has used a publicly available exploit for CVE-2017-0213 for local privilege escalation; hunt for exploit binaries associated with this CVE on endpoints. ↗
- →Monitor Windows Event Log for Event ID 7031 (service terminated unexpectedly), which may indicate Ragnar Locker terminating services as part of post-exploitation following CVE-2017-0213 privilege escalation. ↗
- →Alert on vssadmin.exe invocations that delete shadow copies, a post-exploitation step observed after CVE-2017-0213 privilege escalation in Ragnar Locker attacks. ↗
- →The PoC exploit for CVE-2017-0213 abuses BITS SetNotifyInterface; monitor for unusual BITS service activity and type library loading from non-standard paths while impersonating low-privileged users. ↗
- →Network traffic to TOR nodes following initial compromise may indicate post-exploitation C2 activity in campaigns leveraging CVE-2017-0213. ↗
- ·Type libraries are not loaded using the flag added after CVE-2015-1644 which prevents DLLs being loaded from the impersonated device map, leaving the type library loading vector open in the CVE-2017-0213 exploit chain. ↗
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvdv2.01.9LOWAV:L/AC:M/Au:N/C:N/I:P/A:N
vulncheck7.3HIGH
cisa7.3HIGH
vendor_msrc6.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6pc8-xvmj-x3wh: Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-13·CVSS 7.0
CVE-2017-0213 [HIGH] GHSA-6pc8-xvmj-x3wh: Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when an attacker runs a specially crafted application, aka "Windows COM Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-0214.
GHSA
GHSA-8cpc-fr8p-99pq: Windows COM in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-13·CVSS 7.3
CVE-2017-0214 [HIGH] GHSA-8cpc-fr8p-99pq: Windows COM in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
Windows COM in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when Windows fails to properly validate input before loading type libraries, aka "Windows COM Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-0213.
VulnCheck
Microsoft Windows Privilege Escalation Vulnerability
vulncheck·2017·CVSS 7.3
CVE-2017-0213 [HIGH] Microsoft Windows Privilege Escalation Vulnerability
Microsoft Windows Privilege Escalation Vulnerability
Microsoft Windows COM Aggregate Marshaler allows for privilege escalation when an attacker runs a specially crafted application.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html; https://cybersecurityworks.com/howdymanage/uploads/file/v1-4-r_index-update-q121-csw-compressed.pdf; https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/; https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-defenders-blog-netwalker/; https://www.hhs.gov/sites/default/files/netwalker.pdf; https:/
CISA
Microsoft Windows Privilege Escalation Vulnerability
cisa·2022-03-28·CVSS 7.3
CVE-2017-0213 [HIGH] Microsoft Windows Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows Privilege Escalation Vulnerability
Affected: Microsoft Windows
Microsoft Windows COM Aggregate Marshaler allows for privilege escalation when an attacker runs a specially crafted application.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-0213
Remediation Due Date: 2022-04-18
Microsoft
Windows COM Elevation of Privilege Vulnerability
vendor_msrc·2017-05-09·CVSS 6.7
CVE-2017-0213 [HIGH] Windows COM Elevation of Privilege Vulnerability
Windows COM Elevation of Privilege Vulnerability
Description: An elevation of privilege exists in Windows COM Aggregate Marshaler. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.
To exploit the vulnerability, an attacker could run a specially crafted application that could exploit the vulnerability. This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (e.g. a remote code execution vulnerability and another elevation of privilege) that could take advantage of the elevated privileges when running.
The update addresses the vulnerability by correcting how Windows COM Marshaler processes interface requests.
Windows COM: Windows
No detection rules found.
Bleepingcomputer
Privilege elevation exploits used in over 50% of insider attacks
blogs_bleepingcomputer·2023-12-08
Privilege elevation exploits used in over 50% of insider attacks
## Privilege elevation exploits used in over 50% of insider attacks
## Bill Toulas
Elevation of privilege flaws are the most common vulnerability leveraged by corporate insiders when conducting unauthorized activities on networks, whether for malicious purposes or by downloading risky tools in a dangerous manner.
A report by Crowdstrike based on data gathered between January 2021 and April 2023 shows that insider threats are on the rise and that using privilege escalation flaws is a significant component of unauthorized activity.
According to the report, 55% of insider threats logged by the company rely on privilege escalation exploits, while the remaining 45% unwittingly introduce risks by downloading or misusing offensive tools.
Rogue insiders typically turn against their employer b
Unit42
Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor
blogs_unit42·2023-06-28·CVSS 9.1
CVE-2021-26855 [CRITICAL] Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor
Threat Research Center
High Profile Threats
Malware
## Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor
Daniel Frank
Published: June 28, 2023
High Profile Threats
Malware
Cryptocurrency
Cryptojacking
CVE-2021-26855
CVE-2021-33766
CVE-2021-34473
CVE-2022-41040
Manic Menagerie
Microsoft Exchange Server
Persistence method
ProxyNotShell
Webshell
## Executive Summary
Unit 42 researchers discovered an active campaign that targeted several web hosting and IT providers in the United States and European Union from late 2020 to late 2022. Unit 42 tracks the activity associated with this campaign as CL-CRI-0021 and believes it stems from the same threat actor responsible for the previous campaign known as Manic Menagerie .
The threat actor deployed coin m
Unit42
Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor
blogs_unit42·2023-06-28
Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor
## Executive Summary
Unit 42 researchers discovered an active campaign that targeted several web hosting and IT providers in the United States and European Union from late 2020 to late 2022. Unit 42 tracks the activity associated with this campaign as CL-CRI-0021 and believes it stems from the same threat actor responsible for the previous campaign known as Manic Menagerie.
The threat actor deployed coin miners on hijacked machines to abuse the compromised servers’ resources. They have further deepened their foothold in victims’ environments by mass deployment of web shells, which granted them sustained access, as well as access to internal resources of the compromised websites.
In doing so, the attackers could potentially have turned the hijacked legitimate websites – hosted by the tar
Sentinelone
Ragnar Locker
blogs_sentinelone·2022-11-30
Ragnar Locker
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Fortinet
Ransomware Roundup: Ragnar Locker Ransomware | FortiGuard Labs
blogs_fortinet·2022-09-17·CVSS 7.3
[HIGH] Ransomware Roundup: Ragnar Locker Ransomware | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Ransomware Roundup: Ragnar Locker Ransomware
By Shunichi Imano and James Slaughter | September 17, 2022
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within the OSINT community and our datasets. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
This latest edition of the Ransomware Roundup covers the Ragnar Locker ransomware.
Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High
Ragnar Locker Ransomware
Ragnar Locker is ran
Trendmicro
Nefilim Ransomware Attack Through a MITRE Att&ck Lens
blogs_trendmicro·2021-06-28
Nefilim Ransomware Attack Through a MITRE Att&ck Lens
# Nefilim Ransomware Attack Through a MITRE Att&ck Lens
Follow the story of Company X as they suffer an attack from the notorious modern ransomware family, Nefilim, and their affiliates, to learn how you can better mitigate against the common tactic and techniques used in these attacks.
By: Trend Micro
2021/06/28
Read time: ( words)
Save to Folio
Nefilim is among a new breed of ransomware families that use advanced techniques for a more targeted and virulent attack. It is operated by a group that we track under the intrusion set "Water Roc". This group combines advanced techniques with legitimate tools to make them significantly harder to detect and respond before it is too late.
This allows them to remain undetected in the system for weeks, navigating across the environment to maxim
Tenable
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
blogs_tenable·2021-01-21
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Microsoft Patch Tuesday - May 2017
blogs_talos·2017-05-10·CVSS 7.5
CVE-2017-0290 [HIGH] Microsoft Patch Tuesday - May 2017
Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 56 vulnerabilities with 15 of them rated critical and 41 rated important. Impacted products include .NET, DirectX, Edge, Internet Explorer, Office, Sharepoint, and Windows.
In addition to the coverage Talos is providing for the normal monthly Microsoft security advisories, Talos is also providing coverage for CVE-2017-0290, the MsMpEng Malware Protection service vulnerability in Windows reported by Natalie Silvanovich and Tavis Ormandy of Google Project Zero. Snort rule SIDs for this specific vulnerability are 42820-42821.
## Vulnerabilities Rated Critical The following vulnerabilities are rated critical by Microsoft:
- CVE-2017-0221
- CVE-2017-0222
- CV
Sentinelone
Ragnar Locker
blogs_sentinelone·CVSS 7.3
[HIGH] Ragnar Locker
# Ragnar Locker Ransomware: In-Depth Analysis, Detection, Mitigation, and Removal
## Summary of Ragnar Locker Ransomware
Ragnar Locker emerged in December 2019. Ragnar Locker targets corporate networks and engages in multi- extortion – demanding payment for decryption tools, as well as for the non-release of stolen data. Ragnar Locker is a dangerous threat group that does not tolerate the use of “negotiation” or “recovery” companies during ransom negotiations. Furthermore, they often use different ransomware payloads from other malicious developers, keeping their malware up-to-date.
## What Does Ragnar Locker Ransomware Target?
Ragnar Locker ransomware typically targets organizations in a variety of industries, including healthcare, government, technology, finance, education, and media
Zscaler
Zscaler found Multiple Security Vulnerabilities | 05-09-2017
blogs_zscaler·CVSS 7.8
[HIGH] Zscaler found Multiple Security Vulnerabilities | 05-09-2017
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Crowdstrike
How Insiders Use Vulnerabilities Against Organizations
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] How Insiders Use Vulnerabilities Against Organizations
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Threat Intel
APT33 (APT33, HOLMIUM, Elfin)
threat_intel
APT33 (APT33, HOLMIUM, Elfin)
# Threat Actor Profile: APT33
ATT&CK ID: G0064
Also known as: APT33, HOLMIUM, Elfin, Peach Sandstorm
Suspected origin: Iran
## Overview
APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.(Citation: FireEye APT33 Sept 2017)(Citation: FireEye APT33 Webinar Sept 2017)
## Techniques (TTPs)
### Resource Development
- T1588.002 Tool
Usage: APT33 has obtained and leveraged publicly-available tools for early intrusion activities.(Citation: FireEye APT33 Guardrail)(Citation: Symantec Elfin Mar 2019)
### Initial Access
- T1566.001 Spearphishing Attachment
Usage: APT33 has sent
Threat Intel
Threat Group-3390 (Threat Group-3390, Earth Smilodon, TG-3390)
threat_intel·CVSS 9.8
[CRITICAL] Threat Group-3390 (Threat Group-3390, Earth Smilodon, TG-3390)
# Threat Actor Profile: Threat Group-3390
ATT&CK ID: G0027
Also known as: Threat Group-3390, Earth Smilodon, TG-3390, Emissary Panda, BRONZE UNION, APT27, Iron Tiger, LuckyMouse, Linen Typhoon
Suspected origin: China
## Overview
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Securelist LuckyMouse June 2018)(Citation: Trend Micro DRBControl February 2020)
## Techniques (TTPs)
### Resource Development
- T1608.001 Upload Malware
Usage: Threat Group-3390 has hosted mal
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
http://www.securityfocus.com/bid/98102http://www.securitytracker.com/id/1038457https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0213https://www.exploit-db.com/exploits/42020/http://www.securityfocus.com/bid/98102http://www.securitytracker.com/id/1038457https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0213https://www.exploit-db.com/exploits/42020/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0213
2017-05-12
Published
2022-03-28
Added to CISA KEV
Exploited in the wild