cbcvebase.
CVE-2015-2509
published 2015-09-09

CVE-2015-2509: Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8.1 allows user-assisted remote attackers to execute arbitrary code…

PriorityP273critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
71.04%
99.3th percentile
Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8.1 allows user-assisted remote attackers to execute arbitrary code via a crafted Media Center link (mcl) file, aka "Windows Media Center RCE Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.mcl
filenamemsf.exe
filenameMusic.mcl
  • Detect crafted .mcl files containing UNC paths — the exploit works by embedding a UNC path inside a Media Center Link (.mcl) file to trigger automatic download and execution of a remote payload.
  • Monitor for Windows Media Center (ehshell.exe or related processes) spawning unexpected child processes, particularly executables fetched from UNC/SMB paths.
  • Alert on .mcl file creation or delivery via email/web, especially files referencing UNC (\\server\share) paths inside their content.
  • ·The vulnerability is user-assisted — the victim must open the crafted .mcl file, so delivery vector (phishing, malicious download) is a prerequisite for exploitation.
  • ·The Metasploit module targets Windows platforms only (Vista SP2, 7 SP1, Windows 8, 8.1) and requires the SRVHOST/UNC infrastructure to be reachable by the victim for payload delivery.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat4.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.