CVE-2015-6175

What Is the Windows Kernel?

The Windows kernel is the core of the Windows operating system, running in the most privileged CPU ring (ring 0). The Windows kernel mode encompasses the NT kernel (ntoskrnl.exe), Win32k (the GDI/USER subsystem driver), hardware abstraction layer, device drivers, and the kernel-mode security infrastructure. Because kernel code runs with unrestricted system access, vulnerabilities in kernel components that allow user-space code to trigger kernel-level bugs are among the most severe privilege escalation classes — a successful kernel LPE gives an attacker SYSTEM-level access, bypassing all user-space security controls.

Overview

CVE-2015-6175 is a privilege escalation vulnerability in the Windows kernel that allows local users to gain elevated privileges — up to SYSTEM — via a specially crafted application. The vulnerability resides in Windows kernel-mode driver components and was patched in MS15-135 (December 8, 2015). The CVSS PR:N (no privileges required) combined with UI:R (user interaction required) suggests the vulnerability can be triggered when a user opens a crafted file or executes an application, without requiring the user to have any existing elevated permissions. Like other Windows kernel LPEs, CVE-2015-6175 is used as the second stage in exploit chains following browser or document-based initial access.

Affected Versions

Fixed in MS15-135 (December 2015). Any Windows system current with Windows Update since December 2015 includes this fix.

Technical Details

Root Cause: Kernel-Mode Driver Privilege Escalation

CVE-2015-6175 involves a flaw in Windows kernel-mode driver components — likely within Win32k.sys or the NT kernel itself — where improper handling of a specific operation allows user-space code to trigger a condition that results in elevated kernel-mode execution. The CVSS vector (AV:L AC:L PR:N UI:R) indicates:

• AV:L — the vulnerability is exploited locally (the attacker has code execution on the machine, but at a limited privilege level)
• PR:N — the attacker does not need an existing privileged account to exploit it
• UI:R — user interaction is required, suggesting the exploit may be triggered by opening a crafted file, visiting a web page, or running an application that calls a vulnerable kernel API

The kernel-mode privilege escalation follows a typical LPE exploitation pattern:

1. Heap/pool grooming — manipulate the kernel pool to position a target object near the corrupted region
2. Vulnerability trigger — cause the kernel to process the crafted input that triggers the flaw
3. Token manipulation — overwrite the security token of the exploiting process's EPROCESS structure to elevate to SYSTEM
4. SYSTEM access achieved — the process now runs with SYSTEM-level privileges

Role in Attack Chains

Windows kernel LPEs like CVE-2015-6175 are used as the privilege escalation component in two-stage attack chains:

1. Stage 1 — browser exploit (IE/Chrome/Firefox), document exploit (Office/PDF), or exploit kit achieves code execution at user privilege level
2. Stage 2 — CVE-2015-6175 escalates from standard user to SYSTEM
3. Post-exploitation — with SYSTEM access: disable antivirus, access all files, establish persistence, move laterally

Attack Characteristics

Discovery

Reported to Microsoft and patched in MS15-135 (December 2015 Patch Tuesday).

Exploitation Context

• Windows LPE exploit chaining: Threat actors routinely chain browser or document exploits with Windows kernel LPEs; CVE-2015-6175 was active during a period when exploit kits (Angler, Nuclear, Magnitude) were at peak activity, providing a ready ecosystem for chained exploitation
• Sustained exploitation: CISA's May 2022 KEV addition — 6.5 years after the patch — confirms that CVE-2015-6175 continued to be used against unpatched Windows installations, particularly Windows 7 and Server 2008 systems that remained in production past Microsoft's support lifecycle
• SYSTEM-level impact: Privilege escalation to SYSTEM is the maximum privilege level on Windows; from SYSTEM, attackers can disable endpoint security, modify system files, install rootkits, and perform any action on the compromised system
• CISA KEV (2022): Added May 2022

Remediation

1. Apply MS15-135 (December 2015). Any Windows system current with Windows Update after December 2015 includes this fix.

2. Upgrade end-of-life Windows — Windows 7 and Server 2008 reached end-of-life in January 2020. Systems running these versions cannot receive further security updates and remain exposed to CVE-2015-6175 and many other vulnerabilities. Upgrade to Windows 10/11 or Server 2019/2022.

3. Enable Virtualization Based Security (VBS) / HVCI — Hypervisor-Protected Code Integrity significantly raises the bar for kernel exploitation on supported Windows 10 and later versions.

4. Principle of least privilege — run users with standard (non-admin) accounts to limit the blast radius of any LPE exploitation below SYSTEM level.

5. Endpoint detection — behavioral detection rules for SYSTEM process token manipulation can identify LPE exploitation attempts.