CVE-2012-0151
published 2012-04-10CVE-2012-0151: The Authenticode Signature Verification function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2…
PriorityP184high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
88.78%
99.8th percentile
The Authenticode Signature Verification function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, and Windows 8 Consumer Preview does not properly validate the digest of a signed portable executable (PE) file, which allows user-assisted remote attackers to execute arbitrary code via a modified file with additional content, aka "WinVerifyTrust Signature Validation Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect mshta.exe spawned with a .dll argument (appContast.dll or reboot.dll), which is the execution mechanism for the CVE-2012-0151-abusing payloads ↗
- →Alert on regsvr32.exe loading DLLs (9092.dll, zoom.dll) from %appdata% subdirectories, indicative of Zloader persistence ↗
- →Detect msiexec.exe making outbound network connections to unexpected domains — Zloader injects into msiexec for C2 communication ↗
- →Flag signed PE files where the embedded signature size fields have been modified and extra data is appended beyond the WIN_CERTIFICATE structure — the exploit technique for CVE-2012-0151 ↗
- →Monitor for creation of WScriptSleeper.vbs in %temp% as an early-stage indicator of this Zloader infection chain ↗
- →Detect batch scripts (new1.bat) disabling cmd.exe and Task Manager via registry, combined with Windows Defender exclusion additions — a hallmark of this campaign's defense evasion ↗
- ·The fix for CVE-2012-0151 (strict WinVerifyTrust PE digest validation) is disabled by default and must be manually opted in via registry keys; without this opt-in, signed-but-modified PE files will still pass signature validation ↗
- ·The malicious DLL payload hash changes every few days as the campaign authors update files on the C2 server, making hash-based detection unreliable for this campaign ↗
- ·zoom.dll referenced in the persistence mechanism was missing at time of analysis, suggesting the campaign was still under active development ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-99qx-cj76-9w2h: The Authenticode Signature Verification function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008
ghsa_unreviewed·2022-05-04
CVE-2012-0151 [HIGH] CWE-20 GHSA-99qx-cj76-9w2h: The Authenticode Signature Verification function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008
The Authenticode Signature Verification function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, and Windows 8 Consumer Preview does not properly validate the digest of a signed portable executable (PE) file, which allows user-assisted remote attackers to execute arbitrary code via a modified file with additional content, aka "WinVerifyTrust Signature Validation Vulnerability."
VulnCheck
Microsoft Windows Authenticode Signature Verification Remote Code Execution Vulnerability
vulncheck·2012·CVSS 7.8
CVE-2012-0151 [HIGH] CWE-20 Microsoft Windows Authenticode Signature Verification Remote Code Execution Vulnerability
Microsoft Windows Authenticode Signature Verification Remote Code Execution Vulnerability
The Authenticode Signature Verification function in Microsoft Windows (WinVerifyTrust) does not properly validate the digest of a signed portable executable (PE) file, which allows user-assisted remote attackers to execute code.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.fortiguard.com/encyclopedia/ips/31536; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-06-22
CISA
Microsoft Windows Authenticode Signature Verification Remote Code Execution Vulnerability
cisa·2022-06-08·CVSS 7.8
CVE-2012-0151 [HIGH] CWE-20 Microsoft Windows Authenticode Signature Verification Remote Code Execution Vulnerability
Vulnerability: Microsoft Windows Authenticode Signature Verification Remote Code Execution Vulnerability
Affected: Microsoft Windows
The Authenticode Signature Verification function in Microsoft Windows (WinVerifyTrust) does not properly validate the digest of a signed portable executable (PE) file, which allows user-assisted remote attackers to execute code.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2012-0151
Remediation Due Date: 2022-06-22
No detection rules found.
No public exploits indexed.
Checkpoint
Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk
blogs_checkpoint·2022-01-05
CVE-2020-1599 Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk
## Research by: Golan Cohen
## Introduction
Last seen i
Zscaler
Zscaler Protects against Microsoft's Patch Cycle | Round 10
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler Protects against Microsoft's Patch Cycle | Round 10
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://osvdb.org/81135http://secunia.com/advisories/48581http://www.securitytracker.com/id?1026906http://www.us-cert.gov/cas/techalerts/TA12-101A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-024https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15594http://osvdb.org/81135http://secunia.com/advisories/48581http://www.securitytracker.com/id?1026906http://www.us-cert.gov/cas/techalerts/TA12-101A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-024https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15594https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-0151
2012-04-10
Published
2022-06-08
Added to CISA KEV
Exploited in the wild