Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local attack by an authenticated low-privileged user exploiting a kernel driver IOCTL with no user interaction, yielding full CIA impact via SYSTEM-level code execution.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability has been found in AOMEI Partition Assistant up to 10.10.1. This vulnerability affects unknown code in the library ampa10.sys of the component Kernel Driver. Such manipulation leads to improper access controls. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Local privilege escalation in AOMEI Partition Assistant through version 10.10.1 allows authenticated low-privileged users to abuse improper access controls in the ampa10.sys kernel driver to gain SYSTEM-level code execution. Publicly available exploit code exists per VulDB, and the vendor did not respond to coordinated disclosure attempts, leaving installations exposed; no public exploit identified at time of analysis as actively used in the wild (not in CISA KEV).
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires (1) AOMEI Partition Assistant 10.10.0 or 10.10.1 installed on the target Windows host so that ampa10.sys is loaded as a kernel driver, and (2) the attacker has already obtained local code execution as an authenticated low-privileged user (PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) yields 7.1 and accurately reflects a local, low-complexity, low-privilege attack producing full confidentiality, integrity, and availability impact - consistent with kernel-mode code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged user - or malware that achieved initial code execution as a standard user via phishing or a browser exploit - opens a handle to the ampa10.sys device and issues a crafted IOCTL that the driver executes without proper caller validation, yielding arbitrary kernel read/write or direct SYSTEM token theft. Because public exploit code is already published at winslow1984.com, an attacker can adapt it with minimal effort to elevate from a foothold to full host compromise. |
| Remediation | No vendor-released patch identified at time of analysis - the vendor did not respond to the VulDB disclosure. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all systems running AOMEI Partition Assistant version 10.10.1 or earlier; identify which host authenticated low-privilege user access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38143
GHSA-9fg6-8666-rx55