Search
On this page ▾
CVE-2015-0016 — Microsoft Windows TS WebProxy Directory Traversal Vulnerability

CVE-2015-0016

Windows TS WebProxy — TSWbPrxy Directory Traversal Enables Privilege Escalation in Terminal Services Web Access; Patched MS15-004
⚠️ CVSS 3.1  7.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is Windows TS WebProxy?

Terminal Services WebProxy (TSWbPrxy) is a Windows component that supports Remote Desktop Web Access — the web-based interface allowing users to connect to Remote Desktop Services (RDS) and RemoteApp applications through a web browser. TSWbPrxy acts as a proxy service within the Terminal Services infrastructure, facilitating connections between web clients and RDS session hosts. The component runs as a Windows service and handles URL routing for Remote Desktop Web Access.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on May 25, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2015-0016 is a directory traversal vulnerability in the Windows TS WebProxy (TSWbPrxy) component that allows a remote attacker to escalate privileges. By crafting a request with traversal sequences (e.g., ../), an attacker can access files or resources outside the intended directory restriction, potentially enabling privilege escalation to SYSTEM. Patched in MS15-004 (January 13, 2015).

Affected Versions

Windows Status
Windows 7 SP1 Vulnerable
Windows Server 2008 R2 SP1 Vulnerable
Windows 8 / 8.1 Vulnerable
Windows Server 2012 / 2012 R2 Vulnerable
Windows RT / RT 8.1 Vulnerable

Systems fully patched with MS15-004 are protected.

Technical Details

Root Cause: Insufficient Path Validation in TSWbPrxy

The TSWbPrxy component fails to properly validate or sanitize path components in requests it processes. When the component handles a request containing directory traversal sequences, it does not canonicalize or restrict the path to the intended directory scope. This allows an attacker to:

  1. Submit a crafted request with ../ sequences to navigate outside the intended directory
  2. Access system files or privileged resources that the webproxy service can reach
  3. Leverage access to those resources to execute code or gain elevated privileges

The component's elevated service context means that files accessible to TSWbPrxy may include resources restricted from normal user access — making the traversal directly useful for privilege escalation rather than just information disclosure.

Privilege Escalation Vector

Terminal Services WebProxy runs with elevated privileges to support its RDS proxy role. Directory traversal access in this context can allow writing to sensitive directories or triggering execution of attacker-placed files in privileged locations — enabling escalation from a limited user to SYSTEM.

Attack Characteristics

Attribute Detail
Attack Vector Local — requires code execution on the target
User Interaction Required
Privilege Impact Escalation to elevated/SYSTEM level
Component TSWbPrxy (Terminal Services WebProxy)
Patch Bulletin MS15-004 (January 2015)

Discovery

Reported to Microsoft and patched as part of the January 2015 Patch Tuesday (MS15-004), which addressed privilege escalation vulnerabilities in Windows components.

Exploitation Context

  • Exploit chain second stage: Local privilege escalation vulnerabilities like CVE-2015-0016 are used as the second stage of exploit chains — after an initial code execution vulnerability provides limited access, the privilege escalation delivers SYSTEM-level access
  • Targeted attacks: LPE vulnerabilities targeting Windows services are used by APT groups to establish persistent, privileged footholds on compromised systems
  • Unpatched legacy systems: Enterprise environments running Windows Server 2008 R2 or Windows 7 past the January 2015 patch may remain vulnerable; CISA KEV addition in 2022 confirms continued exploitation
  • CISA KEV (2022): Added May 2022

Remediation

CISA BOD 22-01 Deadline: June 15, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply MS15-004 (January 2015). This is the formal patch for CVE-2015-0016.

  2. Maintain current Windows patch levels — systems running supported Windows versions and kept current with patches are not exposed to this vulnerability.

  3. Disable Remote Desktop Web Access if not required — removing the TSWbPrxy service eliminates the attack surface entirely.

  4. Restrict RDP/RDS access to trusted networks via firewall rules and VPN requirements, reducing exposure of the Terminal Services infrastructure.

Key Details

PropertyValue
CVE ID CVE-2015-0016
Vendor / Product Microsoft — Windows
NVD Published2015-01-13
NVD Last Modified2025-10-22
CVSS 3.1 Score7.8
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') find similar ↗
CISA KEV Added2022-05-25
CISA KEV Deadline2022-06-15
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-06-15. Apply updates per vendor instructions.

Timeline

DateEvent
2015-01-13Microsoft Security Bulletin MS15-004 released; CVE-2015-0016 patched
2015-01-13CVE-2015-0016 published by NVD
2022-05-25Added to CISA Known Exploited Vulnerabilities catalog
2022-06-15CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2015-0016 Vulnerability Database
CISA KEV Catalog Entry US Government
Microsoft Security Bulletin MS15-004 — Vulnerability in Windows Components Could Allow Elevation of Privilege Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML