cbcvebase.
CVE-2015-6127
published 2015-12-09

CVE-2015-6127: Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8.1 allows remote attackers to read arbitrary files via a crafted…

PriorityP341medium4.3CVSS 2.0
AVNACMAuNCPINAN
EXPLOIT
EPSS
46.01%
98.7th percentile
Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8.1 allows remote attackers to read arbitrary files via a crafted .mcl file, aka "Windows Media Center Information Disclosure Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

filenamepoc-microsoft.mcl
processehexthost.exe
otherMSXML2.XMLHTTP
  • Monitor for MCL files whose 'url' parameter references the MCL file itself — this self-referential pattern is the core exploit trigger.
  • Alert on ehexthost.exe spawning network connections or making outbound HTTP POST requests, which indicates file exfiltration via the exploit.
  • Detect instantiation of the MSXML2.XMLHTTP ActiveX object from within ehexthost.exe context, particularly when followed by outbound POST requests — this is the exfiltration mechanism.
  • Flag .mcl file opens where the embedded HTML/JS code performs XMLHttpRequest POST to external hosts — indicates active exfiltration of local files.
  • Detect use of the Metasploit auxiliary module ms15_134_mcl_leak which serves a malicious MCL file; watch for 100% CPU on ehexthost.exe on patched systems as a behavioral indicator.
  • ·The exploit only works when ehexthost.exe does NOT opt into the FEATURE_LOCALMACHINE_LOCKDOWN IE security feature; patching (MS15-134) addresses this but can cause 100% CPU if the exploit MCL is still opened.
  • ·The PoC requires the 'url' parameter value in the MCL file to exactly match the filename of the MCL file on disk for the self-rendering trick to work.
  • ·Exploitation requires the victim to manually open the malicious MCL file; it is not directly remotely exploitable without user interaction.
  • ·Confirmed vulnerable configuration requires Internet Explorer 11 to be installed on Windows 7 x64 SP1; other versions were not verified.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.