Cyber Resilience

CVE-2011-2005

HighCISA KEVActive ExploitationEUVD Exploited

Published: 12 October 2011

Published
12 October 2011
Modified
22 April 2026
KEV Added
28 March 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.6709 98.6th percentile
Risk Priority 76 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2011-2005 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Xp. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

The vulnerability CVE-2011-2005 resides in afd.sys, the Ancillary Function Driver component of Microsoft Windows XP SP2 and SP3 as well as Windows Server 2003 SP2. It arises from insufficient validation of user-mode input passed to kernel mode, enabling an elevation of privilege condition rated at CVSS 7.8.

Local users can exploit the flaw by executing a specially crafted application, resulting in the ability to obtain higher privileges on the target system.

Microsoft security bulletin MS11-080 supplies patches and mitigation steps for the affected platforms, while associated OVAL definitions support detection. The issue appears in the CISA Known Exploited Vulnerabilities Catalog, confirming observed real-world exploitation.

EU & UK References

Vulnerability details

afd.sys in the Ancillary Function Driver in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly validate user-mode input passed to kernel mode, which allows local users to gain privileges via a crafted application, aka "Ancillary…

more

Function Driver Elevation of Privilege Vulnerability."

CWE(s)
KEV Date Added
28 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows server 2003
all versions
microsoft
windows xp
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-mode inputs before they reach kernel-mode components such as afd.sys, eliminating the root cause of the EoP flaw.

prevent

Enforces least privilege so that even a successful bypass of afd.sys input validation yields only minimal additional rights on the system.

prevent

Mandates timely application of vendor patches (MS11-080) that correct the missing validation logic inside afd.sys.

References