Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Win32k Elevation of Privilege Vulnerability in Microsoft Windows

IdentifiersCVE-2017-0263CWE-416· Use After Free

CVE-2017-0263 is a local privilege escalation vulnerability in the Windows kernel-mode win32k component affecting multiple supported Windows client and server versions. The provided content identifies it as a use-after-free in win32k!xxxDestroyWindow. In observed exploitation, attackers used a crafted application to trigger the flaw, leverage a kernel information leak via the User32!HMValidateHandle technique to recover tagWnd addresses, and then corrupt window object state to achieve kernel-context code execution. Reporting in the supplied sources states the exploit ultimately copied the SYSTEM process token (PID 4) into the current process token, elevating the attacker-controlled process to SYSTEM. The vulnerability was used in the wild together with Office EPS exploits such as CVE-2017-0262 to escape the FLTLDR.EXE sandbox and complete payload installation.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local attacker to elevate privileges from the current user context to NT AUTHORITY\SYSTEM. In the documented attack chains, this enabled sandbox escape from FLTLDR.EXE, installation and execution of malware payloads with SYSTEM rights, and post-compromise actions requiring full local control. Because the flaw is in a kernel-mode component, exploitation can give the attacker complete control over the affected host, including access to protected processes, security-sensitive resources, and the ability to install persistent malware or disable defenses.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by preventing untrusted code execution on endpoints, restricting user ability to run arbitrary applications, and hardening against the common exploit chain observed with this vulnerability. Because CVE-2017-0263 was paired with EPS-based Office exploitation, disabling or restricting EPS processing per Microsoft's ADV170005 guidance and blocking malicious Office document delivery can reduce practical exploitation risk. Additional mitigations include application control, least-privilege user configurations, exploit protection/EDR monitoring for win32k exploitation behavior, and detection of anomalous token manipulation or SYSTEM-level process creation from user applications such as WINWORD.EXE or FLTLDR.EXE.

Remediation

Patch, then assume compromise.

Apply Microsoft's security update for CVE-2017-0263 on all affected Windows systems. The content indicates Microsoft released patches on Patch Tuesday for this vulnerability. Remediation should prioritize systems exposed to phishing-driven Office exploit chains and endpoints running affected Windows versions, including legacy platforms listed in the description. Standard remediation also includes verifying successful deployment across both 32-bit and 64-bit environments and retiring unsupported Windows versions where patch coverage cannot be maintained.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindows 10 1507operating_system
Microsoft CorporationWindows 10 1511operating_system
Microsoft CorporationWindows 10 1607operating_system
Microsoft CorporationWindows 10 1703operating_system
Microsoft CorporationWindows 7operating_system
Microsoft CorporationWindows 8.1operating_system
Microsoft CorporationWindows Rt 8.1operating_system
Microsoft CorporationWindows Server 2008operating_system
Microsoft CorporationWindows Server 2012operating_system
Microsoft CorporationWindows Server 2016operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
securelistNews
Aug 8, 2017
APT Trends report Q2 2017

A Microsoft Windows local privilege escalation (LPE) zero-day used alongside Office EPS exploitation in targeted attacks.

Read more
web archiveNews
May 9, 2017
EPS Processing Zero-Days Exploited by Multiple Threat Actors " EPS Processing Zero-Days Exploited by Multiple Threat Actors | FireEye Inc

A Windows local privilege escalation (EoP) zero-day in win32k (xxxDestroyWindow Use-After-Free) used post-compromise to escape the FLTLDR.EXE sandbox and elevate to SYSTEM by token stealing.

Read more
mitre attack websiteNews
Oct 1, 2016
APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, GruesomeLarch, Group G0007 | MITRE ATT&CK®

A privilege escalation vulnerability exploited by APT28.

Read more
mitre attackNews
Jan 24, 2026
Exploitation for Privilege Escalation, Technique T1068 - Enterprise | MITRE ATT&CK®

Windows privilege escalation vulnerability exploited by APT28 to escalate privileges.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence5

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2017-0263
NVD
nvd.nist.gov/vuln/detail/CVE-2017-0263
MITRE CWE · CWE-416
Use After Free
Patch
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263
Third Party Advisory
exploit-db.com/exploits/44478
Third Party Advisory
xiaodaozhi.com/exploit/117.html
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0263