Search
On this page ▾
CVE-2017-0005 — Microsoft Windows Graphics Device Interface (GDI) Privilege Escalation Vulnerability

CVE-2017-0005

Microsoft Windows GDI — Zero-Day GDI Kernel LPE Attributed to APT3 Enables SYSTEM Privilege; Patched MS17-013 (March 2017)
⚠️ CVSS 3.1  7.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is the Windows Graphics Device Interface (GDI)?

The Windows Graphics Device Interface (GDI) is the kernel-mode Windows subsystem handling graphics rendering, text display, font management, and GDI object lifecycle for all Windows applications. GDI runs in kernel mode via win32k.sys, but its API is accessible from any user-mode process through standard Win32 calls. This combination — kernel-mode execution with user-mode accessibility — makes GDI kernel vulnerabilities among the highest-value privilege escalation targets in Windows. Local privilege escalation from GDI enables attackers to break out of application sandboxes and achieve full SYSTEM access from any initial code execution position.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on May 24, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2017-0005 is a use-after-free privilege escalation vulnerability in the Windows GDI kernel component, notable for being exploited as a zero-day by APT3 (Gothic Panda) — a sophisticated Chinese state-sponsored threat actor — before Microsoft's March 2017 patch. APT3 used CVE-2017-0005 in targeted attack campaigns against organizations in the defense, aerospace, and high-tech sectors, pairing the GDI LPE with other exploits for initial access to achieve full system compromise. Patched in MS17-013 (March 14, 2017). CISA added CVE-2017-0005 to the KEV catalog in May 2022.

Affected Versions

Windows Version Status
Windows Vista SP2 Vulnerable
Windows Server 2008 SP2 / R2 SP1 Vulnerable
Windows 7 SP1 Vulnerable
Windows 8.1 Vulnerable
Windows Server 2012 / 2012 R2 Vulnerable
Windows 10 (versions 1507–1607) Vulnerable
All above with MS17-013 applied Fixed

Technical Details

Root Cause: GDI Kernel Use-After-Free

CVE-2017-0005 is a use-after-free (CWE-416) in Windows GDI's kernel driver (win32k.sys). The GDI kernel manages the lifecycle of GDI objects (bitmaps, brushes, fonts, regions) with reference counting and object handles. A specific GDI object manipulation sequence — achievable through standard Windows GDI API calls — causes the kernel to free a GDI object while retaining a live reference pointer. When the stale pointer is later accessed, the attacker can exploit the UAF to read/write kernel memory.

Exploitation:

  • Low-privilege or sandboxed code calls Win32 GDI APIs in a specific sequence
  • GDI kernel UAF triggers, freeing an object while a stale handle remains
  • Attacker sprays controlled data into the freed kernel memory slot
  • Stale handle access reads attacker-controlled data from kernel memory
  • Attacker overwrites the current process's token to escalate to SYSTEM

APT3 Zero-Day Exploitation

CVE-2017-0005 was discovered being exploited as a zero-day by APT3 (also known as Gothic Panda, UPS, TG-0110, and Boystown — a Chinese state-sponsored espionage group):

  • APT3 is known for targeting US defense contractors, government agencies, and technology firms
  • The zero-day was used as a privilege escalation tool in targeted attack chains — following initial access via phishing or another vulnerability, APT3 used CVE-2017-0005 to escalate to SYSTEM
  • FireEye attributed the exploitation to APT3 and reported it to Microsoft as part of coordinated disclosure

Comparison to CVE-2017-0001

CVE-2017-0005 and CVE-2017-0001 are both Windows GDI kernel LPEs patched in the same MS17-013 advisory. CVE-2017-0005 is distinguished by:

  • APT3 nation-state zero-day attribution (higher threat actor sophistication)
  • Targeted use against specific high-value organizations

Attack Characteristics

Attribute Detail
Attack Vector Local — requires existing code execution (any privilege)
Privileges Required Low — any process including sandboxed
Impact SYSTEM kernel privilege
Threat Actor APT3 (Gothic Panda, China)
Exploitation Zero-day before March 2017 patch

Discovery

Discovered by FireEye researchers through threat intelligence analysis of APT3 attack campaigns. FireEye reported the zero-day to Microsoft, triggering the emergency patch in MS17-013.

Exploitation Context

  • Nation-state zero-day investment: APT3's use of CVE-2017-0005 as a zero-day reflects the significant investment that sophisticated state actors make in Windows kernel vulnerability research; a zero-day GDI LPE is a valuable capability that enables breaking out of any Windows sandboxed environment
  • Targeted espionage campaigns: APT3's exploitation of CVE-2017-0005 was in context of long-running espionage campaigns against US and allied nation defense and technology sectors — consistent with Chinese strategic intelligence priorities
  • Exploit chain positioning: GDI LPEs are almost always stage-2 exploits in attack chains; CVE-2017-0005 follows a spear-phishing or browser exploit, converting limited initial code execution into full OS access for persistence and data exfiltration
  • CISA KEV (2022): Added May 2022, confirming active exploitation with nation-state attribution

Remediation

CISA BOD 22-01 Deadline: June 14, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply MS17-013 — install the March 2017 Microsoft Graphics Component update via Windows Update, WSUS, or MECM. All subsequent Windows cumulative updates include this fix.

  2. Keep Windows fully updated — apply all current Windows cumulative security updates.

  3. Keep initial attack vectors patched — CVE-2017-0005 requires prior code execution; maintaining current browser, Office, and PDF reader patches eliminates the initial exploitation step that precedes the GDI LPE.

  4. Monitor for process token manipulation — endpoint detection tools that monitor for unexpected privilege escalation (process token changes, SYSTEM-level process spawning from user-level parents) can detect exploitation of kernel LPEs like CVE-2017-0005.

Key Details

PropertyValue
CVE ID CVE-2017-0005
Vendor / Product Microsoft — Windows
NVD Published2017-03-17
NVD Last Modified2025-10-22
CVSS 3.1 Score7.8
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-416 — Use After Free find similar ↗
CISA KEV Added2022-05-24
CISA KEV Deadline2022-06-14
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-06-14. Apply updates per vendor instructions.

Timeline

DateEvent
2017-03-14Microsoft releases MS17-013 patching CVE-2017-0005; exploitation attributed to APT3 (Gothic Panda)
2017-03-17CVE-2017-0005 published by NVD
2022-05-24Added to CISA Known Exploited Vulnerabilities catalog
2022-06-14CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2017-0005 Vulnerability Database
CISA KEV Catalog Entry US Government
MS17-013 — Security Update for Microsoft Graphics Component (March 2017) Vendor Advisory
FireEye — APT3 Windows GDI Zero-Day Analysis Security Research

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML