Cyber Resilience

CVE-2017-0213

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 12 May 2017

Published
12 May 2017
Modified
22 April 2026
KEV Added
28 March 2022
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9257 99.8th percentile
Risk Priority 90 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-0213 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.3 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2017-0213 resides in the Windows COM Aggregate Marshaler component and affects Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold/1511/1607/1703, and Windows Server 2016. It is classified as an elevation-of-privilege flaw distinct from CVE-2017-0214, with a CVSS 3.1 base score of 7.3 under the vector AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H.

An attacker who can execute a specially crafted application on a vulnerable system is able to leverage the flaw to elevate privileges, potentially achieving full control over confidentiality, integrity, and availability on the host. The attack requires local access and some user interaction but does not demand high privileges or complex conditions.

Microsoft's security advisory at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0213 supplies patch information and mitigation guidance for supported platforms. Public exploit code demonstrating the issue has been published on Exploit-DB.

EU & UK References

Vulnerability details

Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an…

more

elevation privilege vulnerability when an attacker runs a specially crafted application, aka "Windows COM Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-0214.

CWE(s)
KEV Date Added
28 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
all versions
microsoft
windows 10 1511
all versions
microsoft
windows 10 1607
all versions
microsoft
windows 10 1703
all versions
microsoft
windows 7
all versions
microsoft
windows 8.1
all versions
microsoft
windows rt 8.1
all versions
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch that eliminates the COM Aggregate Marshaler flaw exploited by CVE-2017-0213.

prevent

Enforces least-privilege execution so that even a successful COM marshaling bypass cannot grant full administrative rights on the host.

prevent

Enforces the underlying Windows access-control decisions that the elevation-of-privilege attack attempts to subvert.

References