Cyber Resilience

CVE-2016-0040

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 10 February 2016

Published
10 February 2016
Modified
22 April 2026
KEV Added
28 March 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.7576 98.9th percentile
Risk Priority 81 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-0040 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).

Deeper analysis

The vulnerability is an elevation of privilege flaw in the Windows kernel, tracked as CVE-2016-0040 and also known as the Windows Elevation of Privilege Vulnerability. It affects Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1. The issue permits a local attacker to execute a specially crafted application that results in higher privileges on the affected system, with a CVSS 3.1 base score of 7.8 reflecting local access, low attack complexity, and high impact on confidentiality, integrity, and availability.

An attacker with the ability to run code on a vulnerable system can exploit the flaw by supplying a crafted application. Because the vector is local and requires no prior privileges, a standard user who launches the malicious application can obtain elevated rights, potentially allowing full control over the target machine.

Microsoft addressed the issue in security bulletin MS16-014, which provides patches for the listed Windows versions. The bulletin and associated SecurityTracker entries recommend applying the updates to eliminate the vulnerability. Public exploit code for the issue has been published on Exploit-DB.

EU & UK References

Vulnerability details

The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows local users to gain privileges via a crafted application, aka "Windows Elevation of Privilege Vulnerability."

CWE(s)
KEV Date Added
28 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 7
all versions
microsoft
windows server 2008
all versions, r2
microsoft
windows vista
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch (MS16-014) that eliminates the kernel EoP flaw.

prevent

Enforces least privilege so a successful local exploit yields minimal additional rights on the affected Windows kernel.

prevent

Mandates kernel-level access enforcement that the vulnerability bypasses when a crafted application is executed.

References