Microsoft Security Response Center

**How could an attacker exploit the vulnerability?** An authenticated attacker with access to the domain could perform remote code execution on the Sharepoint server to elevate themselves to Sharepoint admin.

**How could an attacker exploit this vulnerability?** In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.

**Are the any prerequisites to a successful attack?** Yes, only systems with the IPSec service running are vulnerable to this attack.

**Are the any prerequisites to a successful attack?** Yes, only systems with the IPSec service running are vulnerable to this attack.

**What type of privileges could an attacker gain through this vulnerability?** A local, authenticated attacker could gain elevated privileges through a vulnerable file system component.

**Are the any prerequisites to a successful attack?** Yes, only systems with the IPSec service running are vulnerable to this attack.

**According to the score, the attack vector is Physical. How would an attacker exploit this vulnerability?** To exploit this vulnerability, an attacker with physical access to a vulnerable system could insert a specially crafted USB device. **Are there additional attack vectors?** This vulnerability can also be exploited through a Local attack vector. An attacker authenticated as an administrator on a vulnerable system could mount a specially crafted virtual hard drive (VHD) to exploit the system. This scenario results in a lower CVSS score which is why the primary attack vector is listed as Physical in our documentation.

**Are the any prerequisites to a successful attack?** Yes, only systems with the IPSec service running are vulnerable to this attack.

**According to the CVSS, the attack vector is Adjacent. What does that mean and how is that different from a Network vector?** This vulnerability's attack is limited at the protocol level to a logically adjacent topology. This means it cannot simply be done across the internet, but instead needs something specific tied to the target. Good examples would include the same shared physical network (such as Bluetooth or IEEE 802.11), logical network (local IP subnet), or from within a secure or otherwise limited administrative domain (MPLS, secure VPN to an administrative network zone). This is common to many attacks that require man-in-the-middle type setups or that rely on initially gaining a foothold in another environment.

**According to the score, the attack vector is Physical. How would an attacker exploit this vulnerability?** To exploit this vulnerability, an attacker with physical access to a vulnerable system could insert a specially crafted USB device. **Are there additional attack vectors?** This vulnerability can also be exploited through a Local attack vector. An attacker authenticated as an administrator on a vulnerable system could mount a specially crafted virtual hard drive (VHD) to exploit the system. This scenario results in a lower CVSS score which is why the primary attack vector is listed as Physical in our documentation.