Win32k Elevation of Privilege Vulnerability
CVE-2018-8453 is a local elevation-of-privilege vulnerability in the Windows Win32k kernel component caused by improper handling of objects in memory. Microsoft describes it as occurring when Win32k fails to properly handle objects in memory. The flaw is in kernel-mode code reachable from user mode and can be used by a local attacker to elevate privileges to SYSTEM. Supporting reporting in the provided content shows the vulnerability was weaponized by REvil/Sodinokibi ransomware to escalate from the current user context to SYSTEM on compromised hosts. The malware checked OS version and patch state before attempting exploitation and used the vulnerability as an optional privilege-escalation path.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository contains multiple implementations of a local privilege escalation exploit for CVE-2018-8453, a Windows kernel vulnerability. The exploit targets Windows 8.1 and Windows 10 RS2 (builds 15063 and 16299), as indicated in the README files. The structure includes several Visual Studio C++ projects for both x86 and x64 architectures, with both GUI and console variants. The main exploit logic is implemented in C/C++ with supporting assembly for low-level kernel interactions (e.g., _asm.asm). The exploit leverages Windows GDI palette objects and window class structures to achieve arbitrary kernel memory read/write, ultimately allowing the attacker to escalate privileges to SYSTEM. The code is operational and includes all necessary components to build and run the exploit on a vulnerable system. No network or remote attack vectors are present; exploitation requires local code execution. The repository is well-structured for research and adaptation to similar kernel vulnerabilities.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A win32k.sys kernel privilege escalation vulnerability used by REvil to obtain SYSTEM privileges on infected Windows hosts.
A Windows privilege-escalation vulnerability leveraged by Sodinokibi/REvil as an optional local exploit path to elevate privileges to SYSTEM (with noted instability/BSOD risk), gated by configuration and patch-level checks.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.