cbcvebase.
CVE-2010-0027
published 2010-01-22

CVE-2010-0027: The URL validation functionality in Microsoft Internet Explorer 5.01, 6, 6 SP1, 7 and 8, and the ShellExecute API function in Windows 2000 SP4, XP SP2 and SP3…

PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
33.98%
98.2th percentile
The URL validation functionality in Microsoft Internet Explorer 5.01, 6, 6 SP1, 7 and 8, and the ShellExecute API function in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, does not properly process input parameters, which allows remote attackers to execute arbitrary local programs via a crafted URL, aka "URL Validation Vulnerability."

Affected

11 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

pathC:\Users\Lostmon\Searches\Everywhere.search-ms
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt"; flow:established,to_client; file.data; content:"#|3A|../../"; content:"C|3A 5C|"; nocase; within:50; pcre:"/\x2E\x2E\x2F\x2E\x2E\x2F.+C\x3A\x5C[a-z]/si"; reference:url,www.securityfocus.com/bid/37884; reference:cve,2010-0027; classtype:attempted-user; sid:2010798; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Exploit payloads use crafted URIs containing path traversal sequences ('../../') combined with a Windows absolute path ('C:\') to escape to the local filesystem and execute arbitrary local programs via ShellExecute or IE URL handling.
  • The vulnerability can also be triggered via any application calling the ShellExecute() API with attacker-controlled input, not just Internet Explorer — broaden detection scope beyond browser traffic.
  • The Emerging Threats Snort rule (SID 2010798) targets inbound HTTP responses (to_client) containing the traversal+Windows path pattern, suitable for perimeter/IDS deployment.
  • ·The Snort rule inspects HTTP response body (to_client, file.data) — ensure your IDS/IPS is configured to inspect full HTTP response payloads, not just headers, for this rule to fire.
  • ·The ET rule metadata lists confidence as 'Medium' — expect potential false positives; tune the PCRE pattern against your environment before enabling block mode.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.