| Severity | Critical |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE ID | CVE-2015-0016 |
| CVSSv3 |
8.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C] |
| CWE ID |
CWE-22 |
| Exploitation vector | Network |
| Public exploit | This vulnerability is being exploited in the wild. |
| Vulnerable software |
Windows Windows Server |
| Vulnerable software versions |
Windows Vista Windows 7 Windows RT 8.1 Show more Windows Server 2008 R2 Windows Server 2012 R2 Windows Server 2012 |
| Vendor URL | Microsoft |
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to insufficient validation of user-supplied input within TS WebProxy Windows component. A remote attacker can trick the victim into downloading a specially crafted file and execute it with privileges of the current user.
Successful exploitation of the vulnerability may result in full control of the vulnerable system.
Note: the vulnerability was being actively exploited.
Install update from vendor's website.
https://technet.microsoft.com/en-us/library/security/ms15-004