Cyber Resilience

CVE-2015-2387

HighCISA KEVActive ExploitationEUVD Exploited

Published: 14 July 2015

Published
14 July 2015
Modified
22 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2468 96.3th percentile
Risk Priority 50 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-2387 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

ATMFD.DLL in the Adobe Type Manager Font Driver is affected by a memory corruption vulnerability that permits local privilege escalation. The flaw impacts multiple Windows releases including Server 2003 SP2, Vista SP2, Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8 and 8.1, Server 2012 Gold and R2, and Windows RT Gold and 8.1. It is tracked as CWE-787 and carries a CVSS 3.1 base score of 7.8 under an AV:L/AC:L/PR:L/UI:N vector.

A local attacker with the ability to run a crafted application on an affected system can trigger the corruption to obtain elevated privileges, resulting in full control over confidentiality, integrity, and availability of the host. No remote attack vector or user-interaction requirement is described.

Microsoft security bulletin MS15-077 and the accompanying US-CERT alert TA15-195A address the issue and point to available updates for the listed platforms. No information on observed in-the-wild exploitation is supplied in the source data.

EU & UK References

Vulnerability details

ATMFD.DLL in the Adobe Type Manager Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT…

more

Gold and 8.1 allows local users to gain privileges via a crafted application, aka "ATMFD.DLL Memory Corruption Vulnerability."

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 7
all versions
microsoft
windows 8
all versions
microsoft
windows 8.1
all versions
microsoft
windows rt
all versions
microsoft
windows rt 8.1
all versions
microsoft
windows server 2003
all versions
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows vista
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patches (MS15-077) that eliminate the ATMFD.DLL memory-corruption flaw before local exploitation can succeed.

prevent

Mandates memory-protection mechanisms that block the out-of-bounds write (CWE-787) in ATMFD.DLL from corrupting kernel structures and achieving privilege escalation.

prevent

Enforces least-privilege execution so that even a successful local memory-corruption trigger in ATMFD.DLL yields only the minimal rights already assigned to the calling process.

References