CVE-2016-7224 : Virtual Hard Disk Driver in Microsoft Windows 8.1, Windows Server 2012 Gold and

Virtual Hard Disk Driver in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 does not properly restrict access to files, which allows local users to gain privileges via a crafted application, aka "VHD Driver Elevation of Privilege Vulnerability."

Published 2016-11-10 06:59:37

Updated 2025-04-12 10:46:41

Source Microsoft Corporation

View at NVD, CVE.org

Vulnerability category: Gain privilege

Products affected by CVE-2016-7224

Microsoft » Windows Server 2012 » Version: N/A
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2012 » Version: R2
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 8.1
cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Rt 8.1
cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: N/A
cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: 1511
cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows 10 » Version: 1607
cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*
Matching versions
Microsoft » Windows Server 2016 » Version: N/A
cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-7224

EPSS FAQ

1.28%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 78 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-7224

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.6	LOW	AV:L/AC:L/Au:N/C:P/I:P/A:N	3.9	4.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
6.1	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N	1.8	4.2	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: High Availability: None

CWE ids for CVE-2016-7224

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-7224

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-138

Microsoft Security Bulletin MS16-138 - Important | Microsoft Docs

CVEs referencing this url
http://www.securityfocus.com/bid/94017

Microsoft Windows CVE-2016-7224 Local Privilege Escalation Vulnerability
https://www.exploit-db.com/exploits/40765/

Microsoft Windows - VHDMP Arbitrary Physical Disk Cloning Privilege Escalation (MS16-138)
http://www.securitytracker.com/id/1037248

Microsoft Virtual Hard Disk Driver Lets Local Users Modify Restricted Files to Gain Elevated Privileges - SecurityTracker

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2016-7224

Products affected by CVE-2016-7224

Exploit prediction scoring system (EPSS) score for CVE-2016-7224

CVSS scores for CVE-2016-7224

CWE ids for CVE-2016-7224

References for CVE-2016-7224