What is NDProxy.sys?
NDProxy.sys is a Windows kernel driver that provides NDIS (Network Driver Interface Specification) proxy functionality for WAN (Wide Area Network) miniport drivers — specifically used with dial-up networking and some VPN implementations. It was present in Windows XP and Windows Server 2003 but was substantially changed in Windows Vista. The driver handles DeviceIoControl calls from user-mode applications related to network connection management, and improper input validation in these IOCTL handlers provided the escalation path.
Overview
CVE-2013-5065 is an improper input validation vulnerability in NDProxy.sys in the Windows kernel that allows a local user to escalate privileges to SYSTEM. A crafted DeviceIoControl call to the NDProxy driver triggers a kernel-mode memory access violation that can be leveraged for code execution at ring 0. This vulnerability was exploited as a zero-day chained with CVE-2013-3346 (Adobe Reader ToolButton use-after-free) to achieve full system compromise from a malicious PDF — the Reader vulnerability provides initial code execution in the Reader sandbox, and CVE-2013-5065 escapes the sandbox and escalates to SYSTEM.
Microsoft acknowledged the zero-day on November 27, 2013, and patched it in MS13-101 on December 10, 2013.
Affected Versions
| Operating System | Affected |
|---|---|
| Windows XP SP3 (32-bit) | Yes |
| Windows XP SP2 (64-bit) | Yes |
| Windows Server 2003 SP2 | Yes |
| Windows Vista and later | Not affected |
The vulnerability is XP and Server 2003 specific — the NDProxy driver in Vista and later was significantly changed and does not contain this vulnerability. This specificity was significant: in late 2013, Windows XP still accounted for a very large fraction of enterprise Windows deployments (approaching end-of-life in April 2014).
Technical Details
NDProxy.sys exposes a device interface that user-mode applications can access via DeviceIoControl. The driver's IOCTL handler did not properly validate input parameters, allowing a local process to send a crafted IOCTL that causes the kernel driver to access memory inappropriately — producing a controllable fault in ring 0.
The two-stage attack chain (as reported by FireEye):
- Stage 1 — CVE-2013-3346: A malicious PDF opens in Adobe Reader. The ToolButton use-after-free achieves code execution inside Reader's Protected Mode sandbox — the attacker can run code, but it is constrained by the Reader sandbox.
- Stage 2 — CVE-2013-5065: From within the Reader sandbox, the attacker's code makes a crafted
DeviceIoControlcall toNDProxy.sys. Because NDProxy is a kernel driver accessible from sandboxed processes, the improper input validation allows kernel code execution, escalating to SYSTEM privilege and escaping the sandbox entirely. - The fully escaped, SYSTEM-privileged code installs a RAT (PlugX and other custom backdoors were delivered in these campaigns) for persistent access.
Why XP-only mattered: While limiting the vulnerability to XP/2003 reduced its scope compared to a cross-version vulnerability, Windows XP's enormous installed base in 2013 — particularly in Asia-Pacific enterprise environments where the targeted organizations operated — made this highly effective.
Discovery
Identified by FireEye researchers analyzing in-the-wild targeted attacks against specific organizations in November 2013. Microsoft acknowledged the zero-day exploitation in Security Advisory 2914486 on November 27, 2013 — within days of the FireEye report.
Exploitation Context
CISA confirmed exploitation in the wild. The CVE-2013-3346 + CVE-2013-5065 chain was used in precision APT campaigns delivering PlugX and related RATs against targeted organizations. FireEye attributed the attacks to a Chinese state-sponsored actor. The sophistication of the two-stage chain — simultaneously maintaining a Reader sandbox escape and a Windows XP kernel LPE zero-day — indicates a well-resourced, deliberate targeting operation.
Remediation
- Apply MS13-101 (December 2013) — patches
NDProxy.syson affected Windows XP and Server 2003 systems - Windows XP reached end-of-life on April 8, 2014 — any remaining XP systems should be treated as fully unpatched for all vulnerabilities discovered after that date
- Upgrade all Windows XP systems to Windows 10 or later — no further security patches are available for XP
- Apply Adobe Reader patches for CVE-2013-3346 (APSB13-22) to remove the initial code execution component of this chain
- Enforce network segmentation to limit access from any potentially compromised workstations running XP
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2013-5065 |
| Vendor / Product | Microsoft — Windows |
| NVD Published | 2013-11-28 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CISA KEV Added | 2022-03-03 |
| CISA KEV Deadline | 2022-03-24 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2013-11 | Zero-day exploitation observed — CVE-2013-5065 chained with CVE-2013-3346 (Adobe Reader ToolButton UAF) in targeted APT attacks delivering PlugX RAT |
| 2013-11-27 | Microsoft publishes Security Advisory 2914486 acknowledging active zero-day exploitation of NDProxy.sys |
| 2013-11-28 | CVE-2013-5065 published |
| 2013-12-10 | Microsoft releases MS13-101 (December 2013 Patch Tuesday) patching CVE-2013-5065 |
| 2022-03-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-03-24 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2013-5065 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft Security Bulletin MS13-101 | Vendor Advisory |