cbcvebase.
CVE-2016-0185
published 2016-05-11

CVE-2016-0185: Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, and Windows 8.1 allows remote attackers to execute arbitrary code via a crafted Media Center link…

PriorityP185high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
69.94%
99.3th percentile
Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, and Windows 8.1 allows remote attackers to execute arbitrary code via a crafted Media Center link (aka .mcl) file, aka "Windows Media Center Remote Code Execution Vulnerability."

Affected

6 ranges
VendorProductVersion rangeFixed in
msrcwindows_7_for_32-bit_systems_service_pack_1
msrcwindows_7_for_x64-based_systems_service_pack_1
msrcwindows_8.1_for_32-bit_systems
msrcwindows_8.1_for_x64-based_systems
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

filename.mcl
path\\127.0.0.1\c$\programdata\cpl.lnk
registryHKEY_CLASSES_ROOT\.MCL
registryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MCL
  • Detect crafted .MCL files containing an 'Application' XML tag with a 'Run' parameter prefixed with 'file:///' pointing to a remote UNC path (WebDAV/SMB share), which bypasses the Windows Media Center security warning.
  • Monitor for Windows Media Center (ehshell.exe or related processes) spawning child processes such as cmd.exe or loading remote DLL/CPL files from UNC paths, which indicates exploitation of a crafted .MCL file.
  • Alert on outbound SMB/WebDAV connections initiated by Windows Media Center processes, especially to non-local IP addresses, as the exploit delivers payloads (EXE/DLL/CPL) via remote shares.
  • Flag .MCL files delivered via email or web download that contain 'file:///' URI schemes in their XML body, as this is the specific bypass technique used in exploitation.
  • Monitor for creation or access of .lnk (Control Panel Shortcut) files in remote shares (e.g., programdata) that reference remote CPL files, as this is the secondary bypass for the 'Open File' security warning.
  • ·The 'Control Panel Shortcut' (.lnk pointing to remote CPL) secondary bypass technique was patched in the May 2016 update and no longer works on patched systems.
  • ·On 64-bit Windows systems, a 64-bit DLL/CPL payload should be used for reliable exploitation, though 32-bit DLLs may also function.
  • ·Exploitation requires user interaction — the victim must open a crafted .MCL file, either by navigating to a compromised website or clicking a link in a phishing email.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.