Windows CLFS Driver Elevation of Privilege
CVE-2023-28252 is an elevation-of-privilege vulnerability in the Windows Common Log File System (CLFS) driver, CLFS.sys. The provided content identifies it as a Windows CLFS Driver EoP flaw that was exploited in the wild as a zero-day and associates it with recurring vulnerabilities in the CLFS subsystem. Supporting context further characterizes the issue as rooted in the CLFS.sys driver subsystem and specifically cites CWE-122 (heap-based buffer overflow). The content also notes that CLFS exploitation commonly involves clfsw32.dll APIs such as CreateLogFile and AddLogContainer to manipulate BLF log files, producing kernel memory corruption primitives that can be used to escalate privileges. Successful exploitation occurs after initial compromise and results in elevation to SYSTEM.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository contains a functional local privilege escalation exploit for CVE-2023-28252, a vulnerability in the Windows Common Log File System (CLFS) driver (CLFS.sys). The exploit is implemented in C++ and is designed to run on Windows 10/11 (21H2/22H2) and Windows Server 2022 with vulnerable versions of CLFS.sys. The exploit works by crafting and manipulating .blf log files and leveraging kernel memory operations to overwrite the process token, thereby granting SYSTEM privileges to the attacker. The main entry point is 'clfs_eop/clfs_eop.cpp', which orchestrates the environment setup, kernel address discovery, file crafting, and the actual privilege escalation. The exploit does not require network access and must be executed locally. The repository includes supporting headers and Visual Studio project files, but the core logic resides in the C++ source files. No external endpoints are targeted; the attack is purely local, focusing on the CLFS.sys driver and associated log files.
This repository contains a working local privilege escalation exploit for CVE-2023-28252, a vulnerability in the Microsoft Windows Common Log File System (CLFS) driver (CLFS.SYS). The main exploit logic is implemented in C++ (lib/clfs_eop.cpp and lib/clfs_eop.h), with supporting project files for Visual Studio. The exploit works by manipulating kernel memory structures via the CLFS driver to obtain a SYSTEM token, thereby elevating the attacker's privileges to SYSTEM. The code includes logic for kernel address discovery, pipe spraying, and direct system calls to achieve the exploit. The repository also includes two simple VBScript files (encrypt.vbs and decrypt.vbs) for text encoding/decoding, which are unrelated to the main exploit. The exploit targets multiple versions of Windows 10, Windows 11, and Windows Server (2016, 2019, 2022) as specified in the header comments. The attack vector is local, requiring the attacker to execute code on the target system. The main fingerprintable endpoint is the CLFS.SYS driver file. The exploit is operational and provides SYSTEM-level access if successful.
This repository contains a C++ implementation of a local privilege escalation exploit for CVE-2023-28252, targeting the Windows Common Log File System (CLFS) driver (clfs.sys). The exploit is based on Fortra's original proof-of-concept and is modified to allow the user to specify an arbitrary binary to execute as SYSTEM after successful exploitation. The main code is in 'clfs_eop/clfs_eop.cpp', with supporting headers and Visual Studio project files. The exploit works by manipulating kernel memory structures via the vulnerable driver, ultimately replacing the current process token with a SYSTEM token and then executing the specified payload. The exploit is operational and can be used to run any command or binary as SYSTEM on affected Windows versions. The only fingerprintable endpoint is the path to the vulnerable driver. The repository is well-structured for building with Visual Studio and includes both source and project files.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A prior vulnerability in the Windows CLFS.sys subsystem referenced as part of a pattern of recurring CLFS driver flaws.
A vulnerability exploited by BrainCipher ransomware (a LockBit 3.0 variant) to compromise Windows and Linux systems in healthcare organizations.
A local privilege escalation vulnerability in Microsoft Windows, allowing attackers to gain elevated privileges on a compromised system.
A Windows Common Log File System (CLFS) vulnerability used for local privilege escalation during the intrusion chain prior to ESXi targeting.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.