Zero-day vulnerability in Windows

Privilege escalation

The vulnerability was combined with CVE-2015-3043 to perform Operation "Russian Doll".

Exploited by RussiaтАЩs APT28 (Fancy Bear APT) in cyber espionage campaign on the U.S defense contractors, European security companies and Eastern European government entities.

Vulnerability details

Advisory: SB2015051201 - Multiple vulnerabilities in Microsoft Windows

Vulnerable component: Windows

CVE-ID: CVE-2015-1701

CVSSv3 score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls


The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to improper access control. A local attacker can create a specially crafted application, execute a callback in userspace and use data from the System token to execute arbitrary code on the system with root privileges.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Known APT campaigns:

Operation "Russian Doll"

The operation refers to the Russian Hacker group APT28. The hackers are suspected to target German parliament, French television network TV5Monde, the White House, and NATO.

Public Exploits: