cbcvebase.
CVE-2013-3893
published 2013-09-18

CVE-2013-3893: Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute…

PriorityP188high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-09-02
Exploited in the wild
EPSS
85.93%
99.7th percentile
Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.

Affected

6 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

filenamemshtml.dll
filenamehxds.dll
otherms-help:
  • CVE-2013-3893 exploit triggers loading of hxds.dll via an ms-help: URL scheme; monitor for iexplore.exe loading hxds.dll as an anomalous child-load event.
  • CVE-2013-3893 was exploited in Operation DeputyDog targeting Japanese government targets in August 2013; prioritise detection on IE 8 and IE 9 process memory anomalies.
  • A public Metasploit module for CVE-2013-3893 was released; scan for Metasploit-generated exploit traffic patterns against IE targets.
  • Group 72 / Axiom domains follow a pattern of encoding victim company names or acronyms in subdomains (e.g., companyname.attackerdomain.com); use this naming pattern for proactive domain hunting.
  • DeputyDog (Fexel) samples associated with CVE-2013-3893 campaigns use campaign codes 'kumanichi' and 'moon'; hunt for these strings in memory or network beacons.
  • C&C IP 66.153.86.14 was traceable via a shared email address linking DeputyDog and the Hidden Lynx VOHO campaign; use this IP as a pivot for infrastructure correlation.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.