cbcvebase.
CVE-2007-1658
published 2007-03-24

CVE-2007-1658: Windows Mail in Microsoft Windows Vista might allow user-assisted remote attackers to execute certain programs via a link to a (1) local file or (2) UNC share…

PriorityP348critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.77%
98.3th percentile
Windows Mail in Microsoft Windows Vista might allow user-assisted remote attackers to execute certain programs via a link to a (1) local file or (2) UNC share pathname in which there is a directory with the same base name as an executable program at the same level, as demonstrated using C:/windows/system32/winrm (winrm.cmd) and migwiz (migwiz.exe).

Detection & IOCsextracted from sources · hover to see the quote

pathC:/windows/system32/winrm
filenamewinrm.cmd
filenamemigwiz.exe
  • Look for Windows Mail (winmail.exe) launching child processes such as cmd.exe, winrm.cmd, or migwiz.exe, which would indicate exploitation of the directory/executable name-collision vulnerability.
  • Monitor for Windows Mail processing links pointing to local file paths or UNC share pathnames (\\server\share\...) that resolve to directories sharing a base name with an executable at the same level.
  • Inspect HTML email bodies for anchor tags or href links referencing local drive paths (e.g., C:/) or UNC paths, delivered via a text/html MIME part, as used in the proof-of-concept exploit.
  • ·Exploitation requires user interaction — the victim must click a maliciously crafted link inside Windows Mail on Vista.
  • ·The UNC navigation vector enables remote code execution beyond local file execution, broadening the attack surface to network shares.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.