CVE-2015-1635

CVE Database · CVE-2015-1635

CVE-2015-1635

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

100.00%

Published

Apr 14, 2015

Modified

Apr 22, 2026

CISA Known Exploited Vulnerability

Added: 2022-02-10 · Due: 2022-08-10

Apply updates per vendor instructions.

Public PoC / Exploit (12)

All weaponized →

Exploit-DBMicrosoft Windows - 'HTTP.sys' (PoC) (MS15-034)Exploit-DBMicrosoft Windows - 'HTTP.sys' HTTP Request Parsing Denial of Service (MS15-034)NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCtechnion/erlvulnscan★10 GitHub PoCaedoo/CVE-2015-1635-POC★9 GitHub PoCZx7ffa4512-Python/Project-CVE-2015-1635★2 GitHub PoCh3x0v3rl0rd/CVE-2015-1635-POC★2 GitHub PoCbongbongco/MS15-034★1 GitHub PoCw01ke/CVE-2015-1635-POC★1 GitHub PoCCappricio-Securities/CVE-2015-1635★1 GitHub PoChedgecore/HTTPsys★0

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-94CWE-94

Affected Products (7)

microsoft · windows_7vulnerable

microsoft · windows_8vulnerable

microsoft · windows_8.1vulnerable

microsoft · windows_server_2008vulnerable

microsoft · windows_server_2012vulnerable

References (15)

http://packetstormsecurity.com/files/131463/Microsoft-Windows-HTTP.sys-Proof-Of-Concept.html