Secondary Logon Elevation of Privilege Vulnerability
CVE-2016-0099 is a local elevation-of-privilege vulnerability in the Microsoft Windows Secondary Logon Service affecting Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511. According to the provided content, the flaw exists because the Secondary Logon Service does not properly process request handles. A local attacker can exploit this weakness via a crafted application to elevate privileges on the affected system. The vulnerability is also referenced as being exploitable via the CreateProcessWithLogonW API in offensive tooling.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (3 hidden).
This repository contains a Visual Studio project for an exploit targeting MS16-032 (CVE-2016-0099), a Windows privilege escalation vulnerability. The structure includes a solution file, project files, and references to a main C++ source file (ms16-032.cpp), which is not included in the provided content. The README specifies that the exploit is intended for use in a service context, indicating it must be run as a Windows service to function. The project is configured for both 32-bit and 64-bit Windows builds. No network endpoints or external IPs are present; the attack vector is local privilege escalation. The repository is a proof-of-concept (POC) for local exploitation and does not appear to be weaponized or part of a larger framework. The main fingerprintable endpoint is the source file path for the exploit code.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Windows local privilege escalation vulnerability used by Makop operators to elevate privileges during post-compromise operations.
A Windows privilege escalation vulnerability (Secondary Logon Service) that ALPHV/BlackCat ransomware embeds/leverages to elevate privileges during execution/propagation on Windows hosts.
A privilege escalation vulnerability used by attackers in Prometei-related infections to elevate the privileges of the current user after gaining access to MS SQL systems.
Local privilege escalation vulnerability referenced as supported by PoshC2 modules.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.