cbcvebase.
CVE-2015-6132
published 2015-12-09

CVE-2015-6132: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and…

PriorityP261high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
84.70%
99.7th percentile
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Windows Library Loading Remote Code Execution Vulnerability."

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

other{ecabafc9-7f19-11d2-978e-0000f8757e2a}
filenameplanted-mqrt.doc
filenamemqrt.dll
  • Detect OLE documents embedding CLSID {ecabafc9-7f19-11d2-978e-0000f8757e2a} (CQueueAdmin / comsvcs.dll) — presence of this CLSID in a Word .doc or RTF file is a strong indicator of CVE-2015-6132 exploitation.
  • Monitor for RTF files containing the \oleclsid tag with value ecabafc9-7f19-11d2-978e-0000f8757e2a, which triggers the DLL load without requiring a user click.
  • Alert on WINWORD.EXE or other Office processes loading mqrt.dll from the document's working directory (i.e., not from System32/SysWOW64) via kernelbase!LoadLibraryExA — this indicates DLL planting via comsvcs.dll delay-load.
  • Watch for the call chain: ole32!OleLoad → comsvcs!CQueueAdmin::FinalConstruct → comsvcs!_tailMerge_mqrt_dll → KERNELBASE!LoadLibraryExA loading mqrt.dll from a non-system path.
  • Flag suspicious .doc files with an OLE object at offset 0x2650 containing the CQueueAdmin CLSID bytes (c9 af ab ec 19 7f d2 11 97 8e 00 00 f8 75 7e 2a in little-endian).
  • ·The exploit was confirmed on Office 2010 on Windows 7 x86 and Office 2013 on Windows 7 x64; other platform combinations were not tested by the researcher.
  • ·Beyond mqrt.dll, comsvcs.dll delay-loads 15 additional DLLs (ADVAPI32.dll, CLBCatQ.DLL, CRYPTSP.dll, dbghelp.dll, ODBC32.dll, etc.) that could also be abused as planting targets via the same CLSID vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.