Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

ATMFD.DLL Memory Corruption Vulnerability in Microsoft Windows

IdentifiersCVE-2015-2387CWE-119

CVE-2015-2387 is a local elevation of privilege vulnerability in ATMFD.DLL, the Adobe Type Manager Font Driver in Microsoft Windows. According to the provided content, affected platforms include Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1. The flaw is described as a memory corruption issue in ATMFD.DLL that can be triggered by a crafted application. Successful exploitation allows a local user to elevate privileges on the target system. The content also indicates this vulnerability was used in the wild, including by APT28/Sednit and in tooling derived from the Hacking Team leak, as part of post-compromise privilege escalation chains.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation results in local privilege escalation on the affected Windows host. An attacker who already has code execution as a local user can leverage the vulnerability to obtain higher privileges, potentially up to administrative or SYSTEM-level execution depending on exploit conditions. This can enable full compromise of the local machine, including disabling defenses, credential theft, persistence installation, access to protected data, and use of the host for further lateral movement.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce opportunities for local code execution by restricting execution of untrusted applications, enforcing application allowlisting, limiting user rights, and monitoring for suspicious child processes or exploit behavior associated with privilege escalation. Additional mitigations include hardening endpoints against phishing-delivered malware, using EDR to detect abnormal privilege transitions and kernel/driver exploitation behavior, and isolating or decommissioning legacy Windows systems that remain vulnerable. The provided content does not include a vendor-specific workaround beyond patching.

Remediation

Patch, then assume compromise.

Apply the relevant Microsoft security update for CVE-2015-2387 on all affected Windows systems. Prioritize legacy and unsupported systems listed in the content, especially where local code execution by untrusted users is possible. Standard remediation should include verifying that ATMFD.DLL-related patches are installed across the fleet, accelerating retirement of unsupported Windows versions, and validating patch deployment on endpoints commonly exposed to phishing-delivered malware that may use this vulnerability for post-exploitation privilege escalation.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindows 7operating_system
Microsoft CorporationWindows 8operating_system
Microsoft CorporationWindows 8.1operating_system
Microsoft CorporationWindows Rtoperating_system
Microsoft CorporationWindows Rt 8.1operating_system
Microsoft CorporationWindows Server 2003operating_system
Microsoft CorporationWindows Server 2008operating_system
Microsoft CorporationWindows Server 2012operating_system
Microsoft CorporationWindows Vistaoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
cybereason blogNews
Sep 6, 2017
The Long-Term Threats Posed by the Vault 7 Leaks

A Windows local privilege escalation (LPE) vulnerability disclosed via the 2015 Hacking Team leak.

Read more
mitre attack websiteNews
Oct 1, 2016
APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, GruesomeLarch, Group G0007 | MITRE ATT&CK®

A privilege escalation vulnerability exploited by APT28.

Read more
mitre attackNews
Jan 24, 2026
Exploitation for Privilege Escalation, Technique T1068 - Enterprise | MITRE ATT&CK®

Windows privilege escalation vulnerability exploited by APT28 (and also referenced for JHUHUGIT) to escalate privileges.

Read more
eset welivesecurity blogNews
Mar 13, 2026

A Windows local privilege escalation vulnerability exploited by Seduploader, using an exploit integrated shortly after the Hacking Team leak.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence5

Every observed campaign linking this CVE to a named adversary.

Associated malware3

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2015-2387
NVD
nvd.nist.gov/vuln/detail/CVE-2015-2387
MITRE CWE · CWE-119
cwe.mitre.org
Patch
docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-077
Third Party Advisory
us-cert.gov/ncas/alerts/TA15-195A
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-2387