CVE-2017-0213
CVE-2017-0213 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 7.3. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-28).
Key facts
- Severity: High (CVSS 3.x base score 7.3)
- CVSS v2: 1.9
- EPSS exploit prediction: 84% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-03-28)
- EU (EUVD) id: EUVD-2017-0579
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-03-28)
- Affected product: Microsoft Windows 10 1507
- Published:
- Last modified:
Description
Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when an attacker runs a specially crafted application, aka "Windows COM Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-0214.
CVE-2017-0213: Windows COM Aggregate Marshaler Local Privilege Escalation
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2017-0213 |
| CVSS v2 | 1.9 (AV:L/AC:M/Au:N/C:N/I:P/A:N) |
| CVSS v3 | 7.3 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) |
| EPSS | 0.84138 (99.66th percentile) |
| KEV | Yes (Added 2022-03-28) |
| CWE | Not specified in source data |
Summary
Windows COM Aggregate Marshaler in multiple Microsoft Windows versions contains an elevation of privilege vulnerability. An attacker who runs a specially crafted application can exploit this flaw to gain elevated privileges on the target system.
Background
The Component Object Model (COM) is a Microsoft framework for software component interaction. The COM Aggregate Marshaler handles the marshaling of COM interfaces across process boundaries. In May 2017, Microsoft disclosed that this component contained a vulnerability that could be abused for local privilege escalation.
Root Cause
The vulnerability stems from improper handling of objects within the COM Aggregate Marshaler. While the specific CWE is not cataloged in the source data, the flaw relates to improper privilege management in the marshaling process, allowing an attacker to manipulate the execution context and elevate privileges. This CVE is distinct from CVE-2017-0214, which addresses a similar but separate vulnerability.
Impact
- CVSS v3 Score: 7.3 (High)
- Attack Vector: Local
- Privileges Required: Low
- User Interaction: Required
- Confidentiality, Integrity, Availability: High impact on all three
- CVSS v2 Score: 1.9 (Low) — reflects the local access requirement and partial integrity impact
- Real-world Risk: Despite the local attack vector, this vulnerability is actively exploited in the wild. CISA has added it to the Known Exploited Vulnerabilities (KEV) catalog, and it has been leveraged in ransomware campaigns.
Exploitation Walkthrough
An attacker with local access and the ability to execute code can craft a malicious application that interacts with the COM Aggregate Marshaler in a way that bypasses normal privilege boundaries. The attacker must convince a user to run the application or already have code execution at low privileges.
Ethics Note: The following is a defensive, conceptual description only. A proof-of-concept is available in Exploit-DB (ID 42020), but weaponized exploit code or step-by-step attack instructions are intentionally omitted to prevent misuse. Security practitioners should study the vulnerability to understand detection patterns and remediation priorities.
Affected and Patched Versions
Affected:
- Windows 7 SP1
- Windows 8.1
- Windows RT 8.1
- Windows 10 (1507, 1511, 1607, 1703)
- Windows Server 2008 SP2 and R2 SP1
- Windows Server 2012 and 2012 R2
- Windows Server 2016
Patched: Microsoft released security updates for all affected platforms. Specific KB numbers are available in the Microsoft Security Response Center advisory referenced below.
Remediation
- Apply Security Updates: Install the relevant cumulative security updates for your affected Windows version from the Microsoft Security Response Center.
- Compensating Controls:
- Restrict local code execution and application installation through AppLocker or Windows Defender Application Control (WDAC).
- Apply the principle of least privilege to limit the impact of local privilege escalation.
- Monitor for suspicious COM object instantiation and inter-process communication.
Detection
- Monitor for anomalous process behavior involving
dllhost.exeor unexpected COM marshaling activities. - Look for suspicious application execution by non-administrative users that attempt to interact with COM infrastructure.
- Correlate endpoint telemetry with the CISA KEV catalog to prioritize hunting for this CVE.
Assessment
CVE-2017-0213 has an EPSS score of 0.84138, placing it in the 99.66th percentile of all tracked vulnerabilities, indicating a very high probability of active exploitation. Its inclusion in the CISA KEV catalog and confirmed use in ransomware operations make this a critical remediation priority even though the CVSS v3 vector requires local access and user interaction.
Lessons:
- Local vulnerabilities are not low-risk when KEV-confirmed. A "local" attack vector combined with active exploitation in ransomware means this should be treated as high urgency.
- Patch legacy systems. Many affected versions (Windows 7, Server 2008/2012) are now end-of-life; organizations should upgrade or apply Extended Security Updates (ESU) if still in use.
References
Frequently asked questions
- What is CVE-2017-0213?
- Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when an attacker runs a specially crafted application, aka "Windows COM Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-0214.
- How severe is CVE-2017-0213?
- CVE-2017-0213 has a CVSS 3.x base score of 7.3, rated high severity. It is exploitable over local access with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2017-0213 being actively exploited?
- Yes. CVE-2017-0213 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-28, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2017-0213?
- CVE-2017-0213 primarily affects Microsoft Windows 10 1507. In total, 12 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2017-0213?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2017-0213 have an EU (EUVD) identifier?
- Yes. CVE-2017-0213 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-0579. It is also flagged as exploited in the EUVD (since 2022-03-28).
- When was CVE-2017-0213 published?
- CVE-2017-0213 was published on 2017-05-12 and last updated on 2026-06-17.
References
- http://www.securityfocus.com/bid/98102
- http://www.securitytracker.com/id/1038457
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0213
- https://www.exploit-db.com/exploits/42020/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0213
Affected products (12)
- cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1511:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1703:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 10 1507
- CVE-2025-53766 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
- CVE-2025-47981 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over…
- CVE-2025-21307 — Critical (CVSS 9.8): Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability
- CVE-2025-21298 — Critical (CVSS 9.8): Windows OLE Remote Code Execution Vulnerability
- CVE-2024-49112 — Critical (CVSS 9.8): Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
- CVE-2024-43491 — Critical (CVSS 9.8): Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities…