Cyber Resilience

CVE-2016-0151

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedLPE

Published: 12 April 2016

Published
12 April 2016
Modified
21 April 2026
KEV Added
28 March 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.3241 97.0th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-0151 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 3.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

The vulnerability is a security feature bypass issue in the Client-Server Run-time Subsystem (CSRSS) component of Microsoft Windows, stemming from improper management of process tokens as classified under CWE-269. It affects Windows 8.1, Windows Server 2012 (including R2), Windows RT 8.1, and Windows 10 (Gold and 1511 releases), and carries a CVSS 3.1 base score of 7.8 reflecting high impact on confidentiality, integrity, and availability.

Local attackers can exploit the flaw by running a crafted application on an affected system, allowing them to bypass security restrictions and elevate privileges without requiring prior authentication or user interaction beyond executing the code.

Microsoft security bulletin MS16-048 addresses the issue through available patches, as referenced in the associated advisories from April 2016. Public exploit code for the vulnerability has also been published on Exploit-DB.

The issue enables local privilege escalation on unpatched systems meeting the affected platform criteria.

EU & UK References

Vulnerability details

The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mismanages process tokens, which allows local users to gain privileges via a crafted application, aka "Windows…

more

CSRSS Security Feature Bypass Vulnerability."

CWE(s)
KEV Date Added
28 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
all versions
microsoft
windows 10 1511
all versions
microsoft
windows 8.1
all versions
microsoft
windows rt 8.1
all versions
microsoft
windows server 2012
all versions, r2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access decisions on process tokens so the CSRSS token-mismanagement bypass cannot grant unauthorized privileges.

prevent

Limits privileges assigned via process tokens, preventing the crafted-application escalation path described in the CVE.

prevent

Requires prompt installation of the MS16-048 patch that corrects the CSRSS token-handling flaw before exploitation occurs.

References