The I2O Utility Filter driver (i2omgmt.sys) 5.1.2600.2180 for Microsoft Windows XP sets Everyone/Write permissions for the "\\.\I2OExc" device interface, which allows local users to gain privileges. NOTE: this issue can be leveraged to overwrite arbitrary memory and execute code via an IOCTL call with a crafted DeviceObject pointer.
Threat-Mapped Scoring
Score: 0.0
Priority: Unclassified
EPSS
Score: 0.00808Percentile:
0.73222
CVSS Scoring
CVSS v3.1 Score: 7.8
Severity: HIGH
Mapped CWE(s)
CWE-732
: Incorrect Permission Assignment for Critical Resource
All CAPEC(s)
CAPEC-1 : Accessing Functionality Not Properly Constrained by ACLs
CAPEC-122 : Privilege Abuse
CAPEC-127 : Directory Indexing
CAPEC-17 : Using Malicious Files
CAPEC-180 : Exploiting Incorrectly Configured Access Control Security Levels
CAPEC-206 : Signing Malicious Code
CAPEC-234 : Hijacking a privileged process
CAPEC-60 : Reusing Session IDs (aka Session Replay)
CAPEC-61 : Session Fixation
CAPEC-62 : Cross Site Request Forgery
CAPEC-642 : Replace Binaries
CAPEC(s) with Mapped TTPs
CAPEC-1 : Accessing Functionality Not Properly Constrained by ACLs
Mapped TTPs:
T1574.010
: Services File Permissions Weakness
CAPEC-122 : Privilege Abuse
Mapped TTPs:
T1548
: Abuse Elevation Control Mechanism
CAPEC-127 : Directory Indexing
Mapped TTPs:
T1083
: File and Directory Discovery
CAPEC-17 : Using Malicious Files
Mapped TTPs:
T1574.005
: Executable Installer File Permissions Weakness
T1574.010
: Services File Permissions Weakness
CAPEC-180 : Exploiting Incorrectly Configured Access Control Security Levels
Mapped TTPs:
T1574.010
: Services File Permissions Weakness
CAPEC-206 : Signing Malicious Code
Mapped TTPs:
CAPEC-60 : Reusing Session IDs (aka Session Replay)
Mapped TTPs:
CAPEC-642 : Replace Binaries
Mapped TTPs:
T1505.005
: Terminal Services DLL
T1554
: Compromise Host Software Binary
T1574.005
: Executable Installer File Permissions Weakness
Mapped ATT&CK TTPs
T1574.010
: Services File Permissions Weakness
Kill Chain: persistence
T1548
: Abuse Elevation Control Mechanism
Kill Chain: privilege-escalation
T1083
: File and Directory Discovery
Kill Chain: discovery
T1574.005
: Executable Installer File Permissions Weakness
Kill Chain: persistence
T1574.010
: Services File Permissions Weakness
Kill Chain: persistence
T1574.010
: Services File Permissions Weakness
Kill Chain: persistence
T1553.002
: Code Signing
Kill Chain: defense-evasion
T1134.001
: Token Impersonation/Theft
Kill Chain: defense-evasion
T1550.004
: Web Session Cookie
Kill Chain: defense-evasion
T1505.005
: Terminal Services DLL
Kill Chain: persistence
T1554
: Compromise Host Software Binary
Kill Chain: persistence
T1574.005
: Executable Installer File Permissions Weakness
Kill Chain: persistence
Malware
APTs Threat Group Associations
Campaigns
Operation Wocao APT41 DUST SolarWinds Compromise Operation CuckooBees Operation Honeybee 2016 Ukraine Electric Power Attack RedDelta Modified PlugX Infection Chain Operations Operation Dream Job C0015 Night Dragon HomeLand Justice Cutting Edge KV Botnet Activity
Affected Products
cpe:2.3:o:microsoft:windows_xp:*:*:*:*:*:*:*:*
← Back to Home
BrownCoat Threat Intelligence Platform | 2025 Steve Gray — You Can’t Take the Sky from Me