HighCISA KEVExploited in the wildPublic exploit

Ancillary Function Driver Elevation of Privilege in afd.sys

IdentifiersCVE-2011-2005CWE-20

CVE-2011-2005 is a local elevation-of-privilege vulnerability in afd.sys, the Ancillary Function Driver component in Microsoft Windows XP SP2/SP3 and Windows Server 2003 SP2. The flaw is caused by improper validation of user-mode input passed into kernel mode by the driver. A local attacker can supply crafted input via a malicious application to trigger the vulnerability and execute code with elevated privileges in kernel context. Microsoft refers to this issue as the "Ancillary Function Driver Elevation of Privilege Vulnerability."

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local user to elevate privileges from a low-privileged account to kernel-level or SYSTEM-equivalent execution on the affected host. This can enable full compromise of the system, including arbitrary code execution in kernel context, disabling security controls, installing persistent malware, tampering with system components, and accessing or modifying protected data.

Mitigation

If you can’t patch tonight, do this now.

Limit local code execution on affected systems by restricting interactive logon and application execution to trusted users and software only. Use application allowlisting, least-privilege account configurations, and endpoint controls to reduce the chance that an attacker can run a crafted local exploit. Network-based mitigations are limited because this is a local vulnerability; the primary mitigation is patching or retiring affected systems.

Remediation

Patch, then assume compromise.

Apply the Microsoft security update that addresses CVE-2011-2005 for affected platforms. Because the vulnerability affects legacy operating systems—Windows XP SP2/SP3 and Windows Server 2003 SP2—systems should be updated to the latest available security patch level and, where possible, migrated to supported Windows versions, since these platforms are end-of-life and no longer receive routine security fixes.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationWindows Server 2003operating_system

Microsoft CorporationWindows Xpoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

mitre attackNews

Jan 24, 2026

Exploitation for Privilege Escalation, Technique T1068 - Enterprise | MITRE ATT&CK®

Windows local privilege escalation vulnerability targeted by FIN6 tooling to obtain kernel-level privileges.

mitre attackNews

Mar 18, 2026

Exploitation for Privilege Escalation, Technique T1068 - Enterprise | MITRE ATT&CK®

Windows local privilege escalation vulnerability targeted by FIN6.

mitre attackNews

Mar 18, 2026

Exploitation for Privilege Escalation, Technique T1068 - Enterprise | MITRE ATT&CK®

Windows local privilege escalation vulnerability targeted by FIN6 tooling to obtain kernel-level privileges.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence2

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2011-2005

NVD

nvd.nist.gov/vuln/detail/CVE-2011-2005

MITRE CWE · CWE-20

cwe.mitre.org

Patch

docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-080

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2011-2005