cbcvebase.
CVE-2012-0151
published 2012-04-10

CVE-2012-0151: The Authenticode Signature Verification function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2…

PriorityP184high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
88.78%
99.8th percentile
The Authenticode Signature Verification function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, and Windows 8 Consumer Preview does not properly validate the digest of a signed portable executable (PE) file, which allows user-assisted remote attackers to execute arbitrary code via a modified file with additional content, aka "WinVerifyTrust Signature Validation Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

registryHKCU\Software\Microsoft\Windows\CurrentVersion\Run
commandmshta.exe appContast.dll
commandregsvr32.exe 9092.dll
path%appdata%
path%temp%
  • Detect mshta.exe spawned with a .dll argument (appContast.dll or reboot.dll), which is the execution mechanism for the CVE-2012-0151-abusing payloads
  • Alert on regsvr32.exe loading DLLs (9092.dll, zoom.dll) from %appdata% subdirectories, indicative of Zloader persistence
  • Detect msiexec.exe making outbound network connections to unexpected domains — Zloader injects into msiexec for C2 communication
  • Flag signed PE files where the embedded signature size fields have been modified and extra data is appended beyond the WIN_CERTIFICATE structure — the exploit technique for CVE-2012-0151
  • Monitor for creation of WScriptSleeper.vbs in %temp% as an early-stage indicator of this Zloader infection chain
  • Detect batch scripts (new1.bat) disabling cmd.exe and Task Manager via registry, combined with Windows Defender exclusion additions — a hallmark of this campaign's defense evasion
  • ·The fix for CVE-2012-0151 (strict WinVerifyTrust PE digest validation) is disabled by default and must be manually opted in via registry keys; without this opt-in, signed-but-modified PE files will still pass signature validation
  • ·The malicious DLL payload hash changes every few days as the campaign authors update files on the C2 server, making hash-based detection unreliable for this campaign
  • ·zoom.dll referenced in the persistence mechanism was missing at time of analysis, suggesting the campaign was still under active development

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.