Skip to main content


Hitachi Incident Response Team

Hitachi Incident Response Team

HIRT-PUB15004: HTTP.sys Remote Code Execution issue


Last Updated: April 20, 2015

1. Overview

HTTP protocol stack (HTTP.sys) of Microsoft Windows contains an integer overflow vulnerability that may allow an attacker to remotely execute arbitrary code via crafted HTTP requests. This vulnerability has been assigned CVE-2015-1635, and is referred to as "HTTP.sys Remote Code Execution Vulnerability".

April 14, 2015
Security update for HTTP.sys (CVE-2015-1635, MS15-034) has been released by Microsoft.

April 15, 2015
Vulnerability proof-of-concept code for CVE-2015-1635 released to the public. Also, Denial of Service (DoS) exploits are widely available to exploit CVE-2015-1635, affecting Microsoft IIS.

CVSS Severity

 Base Metrics: 10.0
  Access Vector: Network
  Access Complexity: Low
  Authentication: None
  Confidentiality Impact: Complete
  Integrity Impact: Complete
  Availability Impact: Complete

 Temporal Metrics 8.3 (April 20, 2015)
  Exploitablity: Functional exploit exists
  Remediation Level: Official fix
  Report Confidence: Confirmed

2. Affected Systems

+ cpe:/o:microsoft:windows_7
+ cpe:/o:microsoft:windows_server_2008:r2
+ cpe:/o:microsoft:windows_8
+ cpe:/o:microsoft:windows_8.1
+ cpe:/o:microsoft:windows_server_2012
+ cpe:/o:microsoft:windows_server_2012:r2

3. Impact

This vulnerability allows remote attacker to cause a denial of service (BSOD: Blue Screen of Death) or execute arbitrary code via crafted HTTP requests.

4. Solution

Apply an update

5. Product Information

April 17, 2015

The issue is currently under investigation.

6. References

Vulnerability Enumeration

Other Information

7. Update history

April 20, 2015
  • This webpage was newly created and published.

Masato Terada (HIRT) and Naoko Ohnishi (HIRT)