cbcvebase.
CVE-2013-0810
published 2013-09-11

CVE-2013-0810: Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, and Windows Server 2008 SP2 allow remote attackers to execute arbitrary code via…

PriorityP270high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
59.88%
99.0th percentile
Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, and Windows Server 2008 SP2 allow remote attackers to execute arbitrary code via a crafted screensaver in a theme file, aka "Windows Theme File Remote Code Execution Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.theme
filename.scr
path\\<host>\<share>\<random>.scr
  • Detect .theme files containing a [boot] section with a UNC (\\server\share\file.scr) path as the Screen Saver value, which is the exploit delivery mechanism.
  • Monitor for outbound SMB connections (port 445/139) initiated by explorer.exe or desk.cpl shortly after a .theme file is opened or applied, as the exploit triggers an SMB fetch of a remote .scr payload.
  • Alert on .scr files being loaded from UNC/SMB paths (\\<remote>\...) as a screensaver, which is abnormal and indicative of CVE-2013-0810 exploitation.
  • ·The Metasploit module targets only Windows XP SP3 and Windows 2003 SP2; exploitation on other listed affected platforms (Vista SP2, Server 2008 SP2) may require different targeting.
  • ·The UNC share name and .scr filename are randomly generated per session, so static filename-based IOCs will not reliably detect all instances; focus on behavioral patterns (UNC screensaver path in .theme files) instead.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.