cbcvebase.
CVE-2006-4704
published 2006-11-01

CVE-2006-4704: Cross-zone scripting vulnerability in the WMI Object Broker (WMIScriptUtils.WMIObjectBroker2) ActiveX control (WmiScriptUtils.dll) in Microsoft Visual Studio…

PriorityP267medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
42.85%
98.5th percentile
Cross-zone scripting vulnerability in the WMI Object Broker (WMIScriptUtils.WMIObjectBroker2) ActiveX control (WmiScriptUtils.dll) in Microsoft Visual Studio 2005 allows remote attackers to bypass Internet zone restrictions and execute arbitrary code by instantiating dangerous objects, aka "WMI Object Broker Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftvisual_studio_net

Detection & IOCsextracted from sources · hover to see the quote

other{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}
filenameWmiScriptUtils.dll
otherWMIScriptUtils.WMIObjectBroker2
  • Detect instantiation of the WMIScriptUtils.WMIObjectBroker2.1 ActiveX control via CLSID {7F5B7F63-F06F-4331-8A26-339E03C0AE3D} in browser context, which is the direct indicator of CVE-2006-4704 exploitation.
  • The Incognito exploit kit uses this vulnerability as Step 0 (entry point) to initialize objects for vulnerable ActiveX controls and inject a malicious file via function 'gr'; look for multi-stage exploit kit traffic combining CVE-2006-4704 with CVE-2010-1423 (Java Deployment Toolkit) and malicious PDF iframes.
  • The Metasploit module for this CVE delivers a payload EXE by writing it to %TEMP%\<random>.exe via ADODB.Stream and executing it with WScript.Shell; monitor for ADODB.Stream SaveToFile calls followed by WScript.Shell Run from Internet Explorer child processes.
  • The exploit uses obfuscated JavaScript with split string concatenation (e.g. 'W'+'Sc'+'ri'+'pt'+'.'+'S'+'he'+'ll') to instantiate WScript.Shell and ADODB.Stream; detect this pattern in script content delivered to IE.
  • Monitor for the Incognito exploit kit URL patterns (common URL patterns remain consistent within the kit) and cross-reference with malwaredomainlist; the kit also injects iframes pointing to malicious PDFs.
  • ·The Metasploit module caps the vulnerable IE user-agent maximum version at 6.1 to avoid triggering the IE7/8 popup behavior; detections scoped to UA version may miss edge cases in badly misconfigured IE7/8 environments.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.