CVE-2017-0213

CVE-2017-0213 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 7.3. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-28).

Key facts

Description

Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when an attacker runs a specially crafted application, aka "Windows COM Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-0214.

CVE-2017-0213: Windows COM Aggregate Marshaler Local Privilege Escalation

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2017-0213
CVSS v2 1.9 (AV:L/AC:M/Au:N/C:N/I:P/A:N)
CVSS v3 7.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
EPSS 0.84138 (99.66th percentile)
KEV Yes (Added 2022-03-28)
CWE Not specified in source data

Summary

Windows COM Aggregate Marshaler in multiple Microsoft Windows versions contains an elevation of privilege vulnerability. An attacker who runs a specially crafted application can exploit this flaw to gain elevated privileges on the target system.

Background

The Component Object Model (COM) is a Microsoft framework for software component interaction. The COM Aggregate Marshaler handles the marshaling of COM interfaces across process boundaries. In May 2017, Microsoft disclosed that this component contained a vulnerability that could be abused for local privilege escalation.

Root Cause

The vulnerability stems from improper handling of objects within the COM Aggregate Marshaler. While the specific CWE is not cataloged in the source data, the flaw relates to improper privilege management in the marshaling process, allowing an attacker to manipulate the execution context and elevate privileges. This CVE is distinct from CVE-2017-0214, which addresses a similar but separate vulnerability.

Impact

  • CVSS v3 Score: 7.3 (High)
    • Attack Vector: Local
    • Privileges Required: Low
    • User Interaction: Required
    • Confidentiality, Integrity, Availability: High impact on all three
  • CVSS v2 Score: 1.9 (Low) — reflects the local access requirement and partial integrity impact
  • Real-world Risk: Despite the local attack vector, this vulnerability is actively exploited in the wild. CISA has added it to the Known Exploited Vulnerabilities (KEV) catalog, and it has been leveraged in ransomware campaigns.

Exploitation Walkthrough

An attacker with local access and the ability to execute code can craft a malicious application that interacts with the COM Aggregate Marshaler in a way that bypasses normal privilege boundaries. The attacker must convince a user to run the application or already have code execution at low privileges.

Ethics Note: The following is a defensive, conceptual description only. A proof-of-concept is available in Exploit-DB (ID 42020), but weaponized exploit code or step-by-step attack instructions are intentionally omitted to prevent misuse. Security practitioners should study the vulnerability to understand detection patterns and remediation priorities.

Affected and Patched Versions

Affected:

  • Windows 7 SP1
  • Windows 8.1
  • Windows RT 8.1
  • Windows 10 (1507, 1511, 1607, 1703)
  • Windows Server 2008 SP2 and R2 SP1
  • Windows Server 2012 and 2012 R2
  • Windows Server 2016

Patched: Microsoft released security updates for all affected platforms. Specific KB numbers are available in the Microsoft Security Response Center advisory referenced below.

Remediation

  1. Apply Security Updates: Install the relevant cumulative security updates for your affected Windows version from the Microsoft Security Response Center.
  2. Compensating Controls:
    • Restrict local code execution and application installation through AppLocker or Windows Defender Application Control (WDAC).
    • Apply the principle of least privilege to limit the impact of local privilege escalation.
    • Monitor for suspicious COM object instantiation and inter-process communication.

Detection

  • Monitor for anomalous process behavior involving dllhost.exe or unexpected COM marshaling activities.
  • Look for suspicious application execution by non-administrative users that attempt to interact with COM infrastructure.
  • Correlate endpoint telemetry with the CISA KEV catalog to prioritize hunting for this CVE.

Assessment

CVE-2017-0213 has an EPSS score of 0.84138, placing it in the 99.66th percentile of all tracked vulnerabilities, indicating a very high probability of active exploitation. Its inclusion in the CISA KEV catalog and confirmed use in ransomware operations make this a critical remediation priority even though the CVSS v3 vector requires local access and user interaction.

Lessons:

  1. Local vulnerabilities are not low-risk when KEV-confirmed. A "local" attack vector combined with active exploitation in ransomware means this should be treated as high urgency.
  2. Patch legacy systems. Many affected versions (Windows 7, Server 2008/2012) are now end-of-life; organizations should upgrade or apply Extended Security Updates (ESU) if still in use.

References

Frequently asked questions

What is CVE-2017-0213?
Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when an attacker runs a specially crafted application, aka "Windows COM Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-0214.
How severe is CVE-2017-0213?
CVE-2017-0213 has a CVSS 3.x base score of 7.3, rated high severity. It is exploitable over local access with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2017-0213 being actively exploited?
Yes. CVE-2017-0213 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-28, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2017-0213?
CVE-2017-0213 primarily affects Microsoft Windows 10 1507. In total, 12 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2017-0213?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2017-0213 have an EU (EUVD) identifier?
Yes. CVE-2017-0213 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-0579. It is also flagged as exploited in the EUVD (since 2022-03-28).
When was CVE-2017-0213 published?
CVE-2017-0213 was published on 2017-05-12 and last updated on 2026-06-17.

References

Affected products (12)

More vulnerabilities in Microsoft Windows 10 1507

All CVEs affecting Microsoft Windows 10 1507 →