cbcvebase.
CVE-2007-3896
published 2007-10-11

CVE-2007-3896: The URL handling in Shell32.dll in the Windows shell in Microsoft Windows XP and Server 2003, with Internet Explorer 7 installed, allows remote attackers to…

PriorityP274critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
53.83%
98.9th percentile
The URL handling in Shell32.dll in the Windows shell in Microsoft Windows XP and Server 2003, with Internet Explorer 7 installed, allows remote attackers to execute arbitrary programs via invalid "%" sequences in a mailto: or other URI handler, as demonstrated using mIRC, Outlook, Firefox, Adobe Reader, Skype, and other applications. NOTE: this issue might be related to other issues involving URL handlers in Windows systems, such as CVE-2007-3845. There also might be separate but closely related issues in the applications that are invoked by the handlers.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

urlhttp:%xx../../../../../../../../../../../windows/system32/calc.exe".bat
urlmailto:test% ../../../../windows/system32/calc.exe".cmd
pathShell32.dll
  • Look for URI handler invocations (mailto:, http:, or other schemes) containing invalid or malformed '%' percent-encoding sequences, which are used to break out of the URI context and inject path traversal sequences.
  • Monitor for path traversal patterns (e.g., '../' sequences) embedded within URI handler strings passed to Shell32.dll, particularly those terminating in executable extensions such as .bat, .cmd, or .exe.
  • Detect process creation events where shell URI handler processing (Shell32.dll) spawns unexpected child processes, especially cmd.exe or other executables launched via .bat/.cmd wrappers.
  • ·The vulnerability is only triggered on Windows XP and Server 2003 systems that have Internet Explorer 7 installed; systems without IE7 are not affected by this specific attack path.
  • ·This issue may be chained with CVE-2007-3845 (Firefox protocol handling command injection); detections should account for both CVEs being used together as a combined attack vector.
  • ·There may be separate but closely related vulnerabilities within the individual client applications invoked by the URI handlers, not solely in Shell32.dll itself.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.