CVE-2015-2465
Description
The Windows shell in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 does not properly constrain impersonation levels, which allows local users to gain privileges via a crafted application, aka "Windows Shell Security Feature Bypass Vulnerability."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Windows Shell fails to properly constrain impersonation levels, allowing local privilege escalation via a crafted application.
Vulnerability
The Windows Shell component in multiple Microsoft Windows versions does not properly constrain impersonation levels. Affected editions include Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 [1]. This flaw allows a locally authenticated attacker to bypass intended security restrictions by running a specially crafted application that triggers improper impersonation behavior.
Exploitation
An attacker must have local access to the system and be able to execute arbitrary code as a low-privileged user. No user interaction is required beyond running the crafted application. The attacker can exploit the vulnerability by launching a program that manipulates the impersonation mechanism to gain higher privileges [1].
Impact
Successful exploitation results in elevation of privilege, allowing the attacker to execute code with elevated integrity levels. This could lead to full control of the affected system, including the ability to install programs, view, change, or delete data, and create new accounts with full user rights [1].
Mitigation
Microsoft released security update MS15-080, which addresses the vulnerability by correcting how the Windows Shell validates impersonation levels. The update was made available on August 11, 2015, for all affected software versions [1]. No workarounds are documented in the advisory. Applying the update is the only known mitigation.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
13- cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*+ 2 more
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*
- Range: Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, Windows 10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-080nvdPatchVendor Advisory
- www.securitytracker.com/id/1033238nvdThird Party AdvisoryVDB Entry
News mentions
0No linked articles in our index yet.