📄 Description (English)
Microsoft Windows TS WebProxy Directory Traversal Vulnerability — Directory traversal vulnerability in the TS WebProxy (TSWbPrxy) component in Microsoft Windows allows remote attackers to escalate privileges.
🤖 AI Executive Summary
CVE-2015-0016 is a critical directory traversal vulnerability in Microsoft Windows TS WebProxy (TSWbPrxy) component with a CVSS score of 9.0. Remote attackers can exploit this flaw to escalate privileges without authentication. Active exploits exist in the wild, making this a high-priority patching target despite its age. Organizations using Remote Desktop Services or Terminal Services are particularly vulnerable.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Mar 24, 2026 06:55
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi government entities under NCA oversight that utilize Remote Desktop Services for remote workforce access, particularly relevant post-Vision 2030 digital transformation initiatives. Banking sector institutions regulated by SAMA using RDS for remote banking operations face elevated risk of unauthorized access to financial systems. Healthcare facilities using Terminal Services for medical record access are vulnerable to patient data breaches violating Saudi Data Protection Law. Energy sector organizations including ARAMCO contractors using RDS for SCADA/ICS remote management face potential operational disruption. Telecommunications providers (STC, Mobily, Zain) using Windows-based management infrastructure are at risk of network compromise.
🏢 Affected Saudi Sectors
Government
Banking
Healthcare
Energy
Telecommunications
Education
Defense
Critical Infrastructure
⚖️ Saudi Risk Score (AI)
8.7
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems running TS WebProxy/Remote Desktop Services using network scanning tools
2. Apply Microsoft Security Bulletin MS15-004 patches immediately for all affected Windows versions
3. Implement network segmentation to isolate RDS servers from untrusted networks
4. Enable NLA (Network Level Authentication) on all RDP endpoints
PATCHING GUIDANCE:
- Windows Server 2008/2008 R2: Install KB3019978
- Windows Server 2012/2012 R2: Install KB3019978
- Windows 7/8/8.1: Install KB3019978
- Verify patch installation via Windows Update history
COMPENSATING CONTROLS (if patching delayed):
- Disable TS WebProxy service if not required: Stop 'TSWbPrxy' service
- Restrict RDP access via firewall rules to known IP ranges only
- Implement VPN requirement for all RDS connections
- Deploy IPS signatures to detect directory traversal attempts
DETECTION RULES:
- Monitor for HTTP requests to TSWbPrxy containing '../' or encoded traversal sequences
- Alert on privilege escalation events (Event ID 4672) from RDS sessions
- Log all RDS connection attempts and review for anomalies
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تشغل TS WebProxy/خدمات سطح المكتب البعيد باستخدام أدوات فحص الشبكة
2. تطبيق تصحيحات نشرة أمان مايكروسوفت MS15-004 فوراً لجميع إصدارات ويندوز المتأثرة
3. تنفيذ تجزئة الشبكة لعزل خوادم RDS عن الشبكات غير الموثوقة
4. تفعيل مصادقة مستوى الشبكة (NLA) على جميع نقاط RDP
إرشادات الترقيع:
- ويندوز سيرفر 2008/2008 R2: تثبيت KB3019978
- ويندوز سيرفر 2012/2012 R2: تثبيت KB3019978
- ويندوز 7/8/8.1: تثبيت KB3019978
- التحقق من تثبيت التصحيح عبر سجل Windows Update
الضوابط التعويضية (في حال تأخر الترقيع):
- تعطيل خدمة TS WebProxy إذا لم تكن مطلوبة: إيقاف خدمة 'TSWbPrxy'
- تقييد وصول RDP عبر قواعد الجدار الناري لنطاقات IP المعروفة فقط
- تطبيق متطلب VPN لجميع اتصالات RDS
- نشر توقيعات IPS للكشف عن محاولات اجتياز الدليل
قواعد الكشف:
- مراقبة طلبات HTTP إلى TSWbPrxy التي تحتوي على '../' أو تسلسلات اجتياز مشفرة
- التنبيه على أحداث رفع الصلاحيات (معرف الحدث 4672) من جلسات RDS
- تسجيل جميع محاولات اتصال RDS ومراجعتها للكشف عن الشذوذ
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
5.1.1 - Vulnerability Management
5.1.2 - Patch Management
4.2.1 - Access Control
4.3.1 - Network Security
6.2.1 - Security Monitoring and Analysis
🔵 SAMA CSF
CCC.1.1 - Vulnerability Assessment and Management
CCC.1.2 - Patch Management
CCC.4.1 - Access Control
CCC.6.1 - Security Monitoring
CCC.8.1 - Incident Response
🟡 ISO 27001:2022
A.12.6.1 - Management of Technical Vulnerabilities
A.9.1.2 - Access to Networks and Network Services
A.13.1.1 - Network Controls
A.12.4.1 - Event Logging
A.16.1.4 - Assessment of Information Security Events
🟣 PCI DSS v4.0
6.2 - Ensure all systems are protected from known vulnerabilities
6.6 - Address new threats and vulnerabilities
8.1 - Define and implement policies for proper user identification
10.2.5 - Log use of identification and authentication mechanisms
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Microsoft:Windows