cbcvebase.
CVE-2015-6131
published 2015-12-09

CVE-2015-6131: Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8.1 allows remote attackers to execute arbitrary code via a crafted…

PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.54%
98.0th percentile
Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8.1 allows remote attackers to execute arbitrary code via a crafted .mcl file, aka "Media Center Library Parsing RCE Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

filenameself-exec-1.mcl
filenameself-exec-2.mcl
filenamerecordsetfile.txt
filenamepoc.hta
pathC:/users/windowsuser/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/poc.hta
  • Detect .mcl files that reference themselves or external URLs as HTML pages, which causes parsing inside Windows Media Center in the local machine IE security zone, enabling arbitrary code execution.
  • Monitor for ADODB.Recordset or ADODB.Connection ActiveX object instantiation from within Windows Media Center (ehshell.exe) process context, particularly rs.Save() calls writing to user Startup folders.
  • Alert on files with .mcl extension being opened or delivered via email/web, especially those containing script tags or HTML referencing external or self URLs.
  • Monitor SMB traffic for credential/username leakage, as the exploit instructs attackers to sniff SMB traffic to retrieve the remote Windows username needed to construct the correct Startup path for payload delivery.
  • Detect Wscript.Shell ActiveX object instantiation spawning child processes from within Media Center or HTA (mshta.exe) context, as the payload uses Wscript.Shell to run arbitrary executables.
  • Monitor for .hta files written to any user's Startup folder (AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/), which is the persistence mechanism used by this exploit.
  • ·The IP address 192.168.10.10 used in the exploit is a private/PoC address and should not be treated as a threat-actor infrastructure IOC; attackers will substitute their own server address.
  • ·The Windows username embedded in the Startup path ('windowsuser') is a placeholder; real attacks must enumerate the victim's actual username (via SMB sniffing per the exploit instructions) to construct the correct payload drop path.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.