The vulnerability was combined with CVE-2015-3043 to perform Operation "Russian Doll".
Exploited by RussiaтАЩs APT28 (Fancy Bear APT) in cyber espionage campaign on the U.S defense contractors, European security companies and Eastern European government entities.
Advisory: SB2015051201 - Multiple vulnerabilities in Microsoft Windows
Vulnerable component: Windows
CVSSv3 score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to improper access control. A local attacker can create a specially crafted application, execute a callback in userspace and use data from the System token to execute arbitrary code on the system with root privileges.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.Note: the vulnerability was being actively exploited.
Known APT campaigns:
Operation "Russian Doll"
The operation refers to the Russian Hacker group APT28. The hackers are suspected to target German parliament, French television network TV5Monde, the White House, and NATO.
- Microsoft Windows - Privilege Escalation (MS15-051) [Exploit-DB]
- Microsoft Windows - ClientCopyImage Win32k Exploit (MS15-051) (Metasploit) [Exploit-DB]