CVE-2015-1635
Published: 14 April 2015
Summary
CVE-2015-1635 is a critical-severity Code Injection (CWE-94) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2015-1635 is a remote code execution vulnerability in the HTTP.sys kernel-mode driver that handles HTTP requests in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2. The flaw, assigned CWE-94, permits an attacker to trigger arbitrary code execution by sending specially crafted HTTP requests to an affected system.
Remote, unauthenticated attackers can exploit the issue over the network to achieve full code execution with no user interaction required. Successful exploitation yields complete control over the target system, consistent with the vulnerability's CVSS 3.1 base score of 9.8 reflecting high impact on confidentiality, integrity, and availability.
The referenced Microsoft security bulletin MS15-034 provides official patches and mitigation guidance for the listed Windows versions. Public proof-of-concept code demonstrating the flaw has been released.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-1765
Vulnerability details
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."
- CWE(s)
- KEV Date Added
- 10 February 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the MS15-034 patch that eliminates the HTTP.sys parsing flaw before remote exploitation can occur.
Boundary protection devices can inspect and drop the specially crafted HTTP requests that trigger the kernel-mode RCE before they reach vulnerable HTTP.sys listeners.
Continuous monitoring of inbound HTTP traffic and kernel events can identify anomalous request patterns indicative of attempted CVE-2015-1635 exploitation.