cbcvebase.
CVE-2013-3900
published 2013-12-11

CVE-2013-3900: Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to…

PriorityP186high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-07-10
Exploited in the wild
EPSS
44.65%
98.6th percentile
Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10 and Windows 11. While the format is different from the original CVE published in 2013, except for clarifications about how to configure the EnableCertPaddingCheck registry value, the information herein remains unchanged from the original text published on December 10, 2013, Microsoft does not plan to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. This behavior remains available as an opt-in feature via reg key setting, and is available on supported editions of Windows released since December 10, 2013. This includes all currently supported versions of Windows 10 and Windows 11. The supporting code for this reg key was incorporated at the time of release for Windows 10 and Windows 11, so no security update is required; however, the reg key must be set. See the Security Updates table for the list of affected software. Vulnerability Description A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable (PE) files. An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker c

Affected

36 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10_version_1507
microsoftwindows_10_version_1607
microsoftwindows_10_version_1809
microsoftwindows_10_version_21h2
microsoftwindows_10_version_22h2
microsoftwindows_11_version_21h2
microsoftwindows_11_version_22h2
microsoftwindows_11_version_22h3
microsoftwindows_11_version_23h2
microsoftwindows_11_version_24h2
microsoftwindows_server_2008
microsoftwindows_server_2008_r2_service_pack_1
microsoftwindows_server_2008_service_pack_2
microsoftwindows_server_2012
microsoftwindows_server_2012
microsoftwindows_server_2012_r2
microsoftwindows_server_2016
microsoftwindows_server_2019
microsoftwindows_server_2022
microsoftwindows_server_2025
msrcwindows_10
msrcwindows_10_version_1607
msrcwindows_10_version_1809
msrcwindows_10_version_21h2
msrcwindows_10_version_22h2

Detection & IOCsextracted from sources · hover to see the quote

hashA6ED1667BB4BB9BAC35CE937FF08C7216D63EBB4
domainteamworks455[.]com
domainlkjhgfgsdshja[.]com
ip185[.]191[.]34[.]209
filenameappContast.dll
filename9092.dll
filenamereboot.dll
filenameadminpriv.exe
filenamedefenderr.bat
filenamed3dcompiler_47.dll
filenameffmpeg.dll
urlraw.githubusercontent[.]com/IconStorages/images/main/
filenameOCLEAN.DLL
filenameGTN.dll
filenameespui.dll
path%LOCALAPPDATA%\sxda.xso
registryHKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Look for mshta.exe being invoked with a DLL file as its parameter (e.g., appContast.dll or reboot.dll), which is the execution mechanism for the CVE-2013-3900-abusing Zloader payloads.
  • Detect regsvr32.exe loading 9092.dll or zoom.dll from %appdata% subdirectories as a persistence/execution indicator for Zloader.
  • Hunt for DLL sideloading patterns where OFFCLN.EXE (legitimate Microsoft app) loads OCLEAN.DLL from the same directory, followed by access to a Microsoft-signed DLL (DWINTL.DLL) with appended data after the signature section.
  • Hunt for GoogleToolbarNotifier.exe sideloading GTN.dll, which then reads espui.dll — a signed DLL with CVE-2013-3900-abused appended encrypted payload.
  • For 3CX supply chain attack: detect ffmpeg.dll scanning d3dcompiler_47.dll for the 'fe ed fa ce' byte sequence, which marks the start of the appended encrypted shellcode exploiting CVE-2013-3900.
  • Detect 3CXDesktopApp.exe loading ffmpeg.dll, which in turn reads d3dcompiler_47.dll — this three-file chain is the hallmark of the 3CX supply chain attack abusing CVE-2013-3900.
  • Flag PE files (DLLs/EXEs) where the file checksum and signature size fields have been modified and data has been appended beyond the Authenticode signature boundary — the core technique of CVE-2013-3900 exploitation.
  • Monitor for the WScriptSleeper.vbs file written to the %temp% directory as an indicator of the Zloader infection chain.
  • ·The EnableCertPaddingCheck registry key fix for CVE-2013-3900 is opt-in and disabled by default on all Windows versions, including Windows 10 and 11. It must be manually set to enforce stricter Authenticode verification.
  • ·For Windows 10 and Windows 11, no security update is required to get the EnableCertPaddingCheck support — the code is already present — but the registry key must still be explicitly configured.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vulncheck5.5MEDIUM
cisa8.8HIGH
vendor_msrc5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.