CVE-2016-0151
CVE-2016-0151 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-28). The underlying weakness is classified as CWE-269.
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- CVSS v2: 7.2
- EPSS exploit prediction: 63% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-03-28)
- EU (EUVD) id: EUVD-2016-0189
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-03-28)
- Weakness: CWE-269
- Affected product: Microsoft Windows 10 1507
- Published:
- Last modified:
Description
The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mismanages process tokens, which allows local users to gain privileges via a crafted application, aka "Windows CSRSS Security Feature Bypass Vulnerability."
CVE-2016-0151: Windows CSRSS Token Mismanagement Enables Local Privilege Escalation
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2016-0151 is a local privilege escalation vulnerability in Microsoft Windows, rooted in improper token management within the Client-Server Run-time Subsystem (CSRSS). By leveraging a crafted application, a local attacker can manipulate process tokens and bypass security boundaries to gain elevated privileges. This flaw carries significant real-world risk: it is catalogued in CISA's Known Exploited Vulnerabilities (KEV) list and tied to active exploitation and ransomware campaigns.
Background
CSRSS (csrss.exe) is a critical Windows subsystem process that manages the console window, thread creation, and portions of the 16-bit virtual MS-DOS environment. Because it operates with high privileges and interacts closely with user-mode processes, its integrity is essential to system security. In 2016, Microsoft patched a token-management defect in CSRSS that allowed a lower-privileged process to tamper with token handles and assume higher privileges. The vulnerability was disclosed as part of Microsoft's April 2016 Patch Tuesday release, documented in security bulletin MS16-048.
Root Cause
The underlying weakness is classified as CWE-269: Improper Privilege Management. The CSRSS subsystem failed to correctly validate or isolate process tokens when handling inter-process communication. Specifically, the subsystem mismanaged token objects, allowing a non-privileged process to obtain or modify a token associated with a higher-privileged context. This breaks the fundamental Windows security model of token-based access control, where a process's identity and rights are bound to its access token.
Impact
The vulnerability is rated High severity under CVSS v3.1 with a base score of 7.8 (vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The CVSS v2 score is 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C). Both metrics indicate that successful exploitation grants complete confidentiality, integrity, and availability compromise from a local attack vector with low complexity and no prior privileges required (beyond local access). The attacker impact is total system takeover on affected hosts.
The Exploit Prediction Scoring System (EPSS) assigns this CVE a probability of 0.63195 (approximately 63.2%), placing it in the 99.1st percentile of all CVEs — signalling that exploitation in the wild is highly likely. CISA added it to the KEV catalog on 28 March 2022, and the EU Vulnerability Database (EUVD) confirms active exploitation from the same date.
Exploitation Walkthrough
From a defensive research perspective, exploitation follows this general pattern:
- The attacker executes a crafted application in the context of a low-privileged local user.
- The application interacts with the CSRSS subsystem through legitimate Windows IPC mechanisms.
- Due to the token mismanagement flaw, the application manipulates a process token handle to reference a higher-privileged security context.
- The attacker process then assumes the elevated token, effectively bypassing normal access controls and gaining privileges such as SYSTEM.
Ethics caveat: This description is intentionally generic and oriented toward detection and defence. Security teams should use this understanding to audit token-handling behaviour and monitor CSRSS interactions rather than attempt reproduction on production systems.
Affected and Patched Versions
The following Microsoft operating systems are confirmed vulnerable:
- Windows 8.1
- Windows RT 8.1
- Windows Server 2012
- Windows Server 2012 R2
- Windows 10 (initial release, version 1507)
- Windows 10, version 1511 (November Update)
Microsoft released patches via MS16-048 in April 2016. Systems updated through standard Windows Update or WSUS channels after that date are protected.
Remediation
Primary control: Apply the MS16-048 security update to all affected systems. Given the confirmed in-the-wild exploitation and ransomware linkage, prioritise patching for:
- Internet-facing and externally accessible endpoints
- Domain controllers and other critical infrastructure
- Systems running legacy or extended-support Windows versions
Compensating controls where patching is not immediately possible:
- Restrict local login and interactive access to essential administrators only.
- Enforce application whitelisting (AppLocker or Windows Defender Application Control) to prevent execution of untrusted binaries.
- Enable Credential Guard and Device Guard on supported Windows 10/Server 2016 and later systems to harden token security.
- Monitor for anomalous token-elevation events using Sysmon or native Windows Event Log auditing (Event ID 4673, 4674).
Detection
Security operations teams should monitor for indicators of privilege escalation adjacent to CSRSS:
- Sysmon Event ID 10 (ProcessAccess) showing unusual access to
csrss.exefrom non-system processes. - Windows Security Event ID 4673 (Privileged Service Called) and 4674 (Operation Attempted on a Privileged Object) with object type
Token. - Endpoint detection rules flagging token-duplication or handle-manipulation API calls (
DuplicateTokenEx,SetThreadToken) from user-level processes. - EDR telemetry showing child processes of
csrss.exeor unexpected token elevation shortly after process creation.
Assessment
CVE-2016-0151 is a textbook example of how a single subsystem-level token-management bug can undermine the entire Windows access-control model. The combination of a local attack vector, low exploitation complexity, and complete system compromise makes it a valuable target for threat actors. Its high EPSS score and confirmed presence on the CISA KEV list, alongside ransomware associations, underscore the need for prompt remediation even on systems that are not directly internet-facing.
Two lessons emerge:
- Subsystem integrity is critical. Because CSRSS sits at the boundary between user mode and kernel-assisted services, even a small flaw in its privilege-handling logic cascades into full system compromise.
- Patching legacy systems remains essential. Several affected versions (Windows 8.1, Server 2012, early Windows 10 releases) are either in extended support or approaching end-of-life. Organisations retaining these systems must treat them as high-risk and isolate or upgrade them accordingly.
References
Frequently asked questions
- What is CVE-2016-0151?
- The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mismanages process tokens, which allows local users to gain privileges via a crafted application, aka "Windows CSRSS Security Feature Bypass Vulnerability."
- How severe is CVE-2016-0151?
- CVE-2016-0151 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2016-0151 being actively exploited?
- Yes. CVE-2016-0151 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-28, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2016-0151?
- CVE-2016-0151 primarily affects Microsoft Windows 10 1507. In total, 6 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2016-0151?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2016-0151 have an EU (EUVD) identifier?
- Yes. CVE-2016-0151 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2016-0189. It is also flagged as exploited in the EUVD (since 2022-03-28).
- When was CVE-2016-0151 published?
- CVE-2016-0151 was published on 2016-04-12 and last updated on 2026-06-17.
References
- http://www.securitytracker.com/id/1035544
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-048
- https://www.exploit-db.com/exploits/39740/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0151
Affected products (6)
- cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1511:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 10 1507
- CVE-2025-53766 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
- CVE-2025-47981 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over…
- CVE-2025-21307 — Critical (CVSS 9.8): Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
- CVE-2025-21298 — Critical (CVSS 9.8): Windows OLE Remote Code Execution Vulnerability
- CVE-2024-49112 — Critical (CVSS 9.8): Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
- CVE-2024-43491 — Critical (CVSS 9.8): Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities…
All CVEs affecting Microsoft Windows 10 1507 →
Other CWE-269 (Improper Privilege Management) vulnerabilities
- CVE-2026-31852 — Critical (CVSS 10.0): Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is…
- CVE-2025-20282 — Critical (CVSS 10.0): A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to…
- CVE-2025-0505 — Critical (CVSS 10.0): On Arista CloudVision systems (virtual or physical on-premise deployments), Zero Touch Provisioning can be used to gain…
- CVE-2023-48418 — Critical (CVSS 10.0): In checkDebuggingDisallowed of DeviceVersionFragment.java, there is a possible way to access adb before SUW…
- CVE-2023-48419 — Critical (CVSS 10.0): An attacker in the wifi vicinity of a target Google Home can spy on the victim, resulting in Elevation of Privilege
- CVE-2023-31273 — Critical (CVSS 10.0): Protection mechanism failure in some Intel DCM software before version 5.2 may allow an unauthenticated user to…
Browse all CWE-269 (Improper Privilege Management) vulnerabilities →