CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
afd.sys in the Ancillary Function Driver in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly validate user-mode input passed to kernel mode, which allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability."
AnalysisAI
Local privilege escalation in Windows afd.sys (Ancillary Function Driver) allows unauthenticated local attackers to gain SYSTEM privileges on Windows XP SP2/SP3 and Server 2003 SP2 through a crafted application requiring user interaction. CISA KEV confirms active exploitation in the wild, with EPSS score at 67.09% (99th percentile) indicating extremely high real-world exploitation likelihood. Multiple public exploit codes exist (Exploit-DB 21844, 18176), making this vulnerability trivially exploitable despite its age. Microsoft released patches via MS11-080 in October 2011, but legacy systems remain vulnerable.
Technical ContextAI
The vulnerability exists in afd.sys, the Ancillary Function Driver kernel-mode component responsible for handling Windows Sockets operations in Windows XP and Server 2003. This driver implements the AFD device (\Device\Afd) which provides an interface between user-mode Winsock2 applications and kernel-mode transport protocols. The flaw stems from insufficient validation of user-mode input buffers before processing them in kernel space, allowing attackers to corrupt kernel memory or execute arbitrary code at ring 0. The affected CPE configurations confirm impact to Windows XP Professional x64 SP2, Windows XP SP3 (all editions), and Windows Server 2003 SP2. This represents a classic kernel input validation failure where IOCTL handlers or system call interfaces trusted user-supplied pointers or buffer lengths without proper bounds checking or access verification.
RemediationAI
Apply Microsoft Security Bulletin MS11-080 immediately via Windows Update or manual download from https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-080. The bulletin provides specific KB article numbers and replacement supersedence information for each affected platform. However, given that Windows XP and Server 2003 reached extended support end-of-life in 2014 and 2015 respectively, the STRONGLY RECOMMENDED remediation is migrating affected systems to supported operating systems (Windows 10/11 or Server 2016/2019/2022). If migration is impossible due to operational constraints, implement defense-in-depth compensating controls: restrict local logon rights to only essential administrative users through Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment), deploy application whitelisting via Software Restriction Policies or AppLocker to prevent execution of unauthorized binaries (mitigates social engineering delivery), enable audit logging for privilege escalation attempts (Security log Event ID 4672 for special privileges assigned to new logon), and network-isolate legacy systems from internet access and untrusted network segments. Note that compensating controls only reduce attack surface and do not eliminate the vulnerability - attackers with physical access or who compromise authorized user accounts can still exploit this flaw.
More from same product – last 7 days
Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous fil
Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft mal
Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-
Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authenti
Privilege escalation in Microsoft Entra ID enables remote unauthenticated attackers to bypass origin validation and gain
Share
External POC / Exploit Code
Leaving vuln.today