CVE-2017-0213

What Is Windows COM?

Component Object Model (COM) is a Microsoft binary interface standard and runtime infrastructure that enables software components to interact across process and network boundaries. COM's Aggregate Marshaler is a system component responsible for marshaling — packaging and transmitting — COM interface calls between apartments (execution contexts). COM is deeply integrated into Windows and Office: virtually every Windows application uses COM objects, and COM servers run with specific privileges defined by their registry entries. Flaws in COM privilege handling have historically enabled privilege escalation from standard user accounts to SYSTEM.

Overview

CVE-2017-0213 is a local privilege escalation vulnerability in the Windows COM Aggregate Marshaler that allows a low-privileged attacker to escalate to SYSTEM. By running a specially crafted application that exploits improper privilege validation in the COM Aggregate Marshaler, an attacker with a standard user account can gain full administrative control of the affected system. Patched in the May 2017 security update. The ransomwareUse: true flag reflects that this LPE was incorporated into post-exploitation ransomware toolchains where attackers first establish a foothold as a standard user (via phishing or RCE) and then use CVE-2017-0213 to achieve SYSTEM privileges for maximum access before deploying the ransomware payload. CISA added CVE-2017-0213 to the KEV catalog in March 2022.

Affected Versions

Technical Details

Root Cause: COM Aggregate Marshaler Privilege Mishandling

CVE-2017-0213 is an improper privilege management vulnerability (CWE-269) in the Windows COM Aggregate Marshaler. The COM Aggregate Marshaler manages inter-process communication between COM objects running in different security contexts. The vulnerability arises from improper validation when a low-privilege COM client interacts with the Aggregate Marshaler — under specific conditions, the marshaler fails to properly enforce privilege boundaries, allowing a low-privilege application to trigger execution in a higher-privilege context (SYSTEM).

Exploitation mechanism:

• An attacker with a standard (low-privilege) user account runs a specially crafted application
• The application instantiates a COM object via the Aggregate Marshaler with a crafted activation request
• The COM runtime improperly validates the activation context, allowing the attacker to execute code in the SYSTEM security context
• The SYSTEM context provides full administrative access to the machine, bypassing UAC and all user-level security controls

Role in ransomware kill chains: Ransomware operators need SYSTEM privileges to:

• Access and encrypt files owned by other users and system processes
• Disable Windows Defender and other security tools (requires SYSTEM or high-integrity)
• Delete Volume Shadow Copies (vssadmin delete shadows) to prevent recovery
• Access domain credentials stored in LSASS memory

CVE-2017-0213 provided a reliable, low-complexity path from standard user to SYSTEM, making it valuable in post-exploitation toolkits.

Attack Characteristics

Discovery

Reported to Microsoft through coordinated disclosure and patched in the May 2017 Patch Tuesday security update.

Exploitation Context

• Ransomware post-exploitation: CVE-2017-0213 was incorporated into ransomware deployment chains where threat actors first compromised a workstation via phishing or document exploit, then used CVE-2017-0213 to escalate to SYSTEM before deploying ransomware across the environment; the ransomwareUse: true classification reflects confirmed ransomware operator adoption
• Common privilege escalation pattern: The LPE vulnerability filled the same role as CVE-2017-0101 (Transaction Manager LPE) in the 2017 threat landscape — multiple ransomware operators maintained a portfolio of Windows LPE exploits to use depending on the target OS version
• Chained with RCE vulnerabilities: In drive-by and phishing campaigns, attackers used CVE-2017-0213 as the second stage: a browser or Office RCE provided initial code execution in user context, then CVE-2017-0213 elevated to SYSTEM
• CISA KEV (2022): Added March 2022 as part of a batch of Windows LPE vulnerabilities confirmed in active exploitation by ransomware operators

Remediation

1. Apply May 2017 security update — install the May 9, 2017 Windows security update, which patches CVE-2017-0213 on all affected Windows versions.

2. Enforce least privilege — ensure users run as standard (non-administrative) accounts; while CVE-2017-0213 can escalate from standard user to SYSTEM, the initial foothold still requires code execution — limiting who has execute permissions limits exposure.

3. Enable Windows Defender Credential Guard — protects LSASS memory from access after privilege escalation, limiting what attackers can do with their elevated privileges.

4. Deploy endpoint detection and response (EDR) — behavioral detection catches the process creation and COM object manipulation patterns associated with LPE exploitation, even before a signature exists.

5. Monitor for anomalous SYSTEM-level process creation — alert when standard user processes spawn SYSTEM-privileged children without a UAC elevation prompt; this pattern indicates LPE exploitation.