cbcvebase.
CVE-2013-7331
published 2014-02-26

CVE-2013-7331: The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share…

PriorityP277medium6.5CVSS 3.1
AVNACLPRNUINSUCLINAL
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
58.02%
99.0th percentile
The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes, as demonstrated by a res:// URL, and exploited in the wild in February 2014.

Affected

6 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

urlres://
  • Monitor for Microsoft.XMLDOM ActiveX control usage in Internet Explorer that probes local paths, UNC share paths, intranet hostnames, or intranet IPs via error code examination — a key behavioral indicator of CVE-2013-7331 exploitation.
  • Detect exploitation attempts targeting Internet Explorer 8 and Internet Explorer 9 specifically, where the XMLDOM object is used to enumerate filenames on the remote machine from a supplied list of file paths (e.g., c:\windows\system32\calc.exe).
  • Alert on use of res:// protocol handler URLs within Internet Explorer, as this scheme was specifically demonstrated as a vector for the XMLDOM information disclosure.
  • Treat XMLDOM-based file path probing as a potential anti-malware/AV detection evasion technique — attackers leveraged this vulnerability to detect anti-malware applications loaded in memory.
  • ·The Metasploit auxiliary module requires an attacker-supplied list of file paths to enumerate; detection should account for high volumes of XMLDOM load attempts against varied local paths such as UNC or system32 paths.
  • ·Exploitation is confirmed in the wild as of February 2014 and is listed in CISA KEV; treat unpatched Internet Explorer instances on Windows 8.1 and earlier as actively at risk.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vulncheck6.5MEDIUM
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.