CVE-2016-0185
published 2016-05-11CVE-2016-0185: Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, and Windows 8.1 allows remote attackers to execute arbitrary code via a crafted Media Center link…
PriorityP185high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
69.94%
99.3th percentile
Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, and Windows 8.1 allows remote attackers to execute arbitrary code via a crafted Media Center link (aka .mcl) file, aka "Windows Media Center Remote Code Execution Vulnerability."
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | windows_7_for_32-bit_systems_service_pack_1 | — | — |
| msrc | windows_7_for_x64-based_systems_service_pack_1 | — | — |
| msrc | windows_8.1_for_32-bit_systems | — | — |
| msrc | windows_8.1_for_x64-based_systems | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect crafted .MCL files containing an 'Application' XML tag with a 'Run' parameter prefixed with 'file:///' pointing to a remote UNC path (WebDAV/SMB share), which bypasses the Windows Media Center security warning. ↗
- →Monitor for Windows Media Center (ehshell.exe or related processes) spawning child processes such as cmd.exe or loading remote DLL/CPL files from UNC paths, which indicates exploitation of a crafted .MCL file. ↗
- →Alert on outbound SMB/WebDAV connections initiated by Windows Media Center processes, especially to non-local IP addresses, as the exploit delivers payloads (EXE/DLL/CPL) via remote shares. ↗
- →Flag .MCL files delivered via email or web download that contain 'file:///' URI schemes in their XML body, as this is the specific bypass technique used in exploitation. ↗
- →Monitor for creation or access of .lnk (Control Panel Shortcut) files in remote shares (e.g., programdata) that reference remote CPL files, as this is the secondary bypass for the 'Open File' security warning. ↗
- ·The 'Control Panel Shortcut' (.lnk pointing to remote CPL) secondary bypass technique was patched in the May 2016 update and no longer works on patched systems. ↗
- ·On 64-bit Windows systems, a 64-bit DLL/CPL payload should be used for reliable exploitation, though 32-bit DLLs may also function. ↗
- ·Exploitation requires user interaction — the victim must open a crafted .MCL file, either by navigating to a compromised website or clicking a link in a phishing email. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Media Center Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 7.8
CVE-2016-0185 [HIGH] CWE-20 Microsoft Windows Media Center Remote Code Execution Vulnerability
Vulnerability: Microsoft Windows Media Center Remote Code Execution Vulnerability
Affected: Microsoft Windows
Microsoft Windows Media Center contains a remote code execution vulnerability when Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2016-0185
Remediation Due Date: 2022-05-03
Microsoft
Windows Media Center Remote Code Execution Vulnerability
vendor_msrc·2016-05-10·CVSS 7.8
CVE-2016-0185 [HIGH] Windows Media Center Remote Code Execution Vulnerability
Windows Media Center Remote Code Execution Vulnerability
Description: A vulnerability exists in Windows Media Center that could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. An attacker who successfully exploited this vulnerability could take control of an affected system. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Workstations are primarily at risk of this vulnerability.
To exploit the vulnerability, user interaction is required. In a web-browsing scenario, a user would have to navigate to a compromised website that an attacker is using to host a malicious .mcl file. In an email at
VulDB
Microsoft Windows Vista SP2/7 SP1/8.1 Media Center input validation (MS16-059 / EDB-39805)
vuldb·2026-04-23·CVSS 7.8
CVE-2016-0185 [HIGH] Microsoft Windows Vista SP2/7 SP1/8.1 Media Center input validation (MS16-059 / EDB-39805)
A vulnerability was found in Microsoft Windows Vista SP2/7 SP1/8.1. It has been rated as critical. This issue affects some unknown processing of the component Media Center. This manipulation causes improper input validation.
This vulnerability is tracked as CVE-2016-0185. The attack is possible to be carried out remotely. Moreover, an exploit is present.
Applying a patch is the recommended action to fix this issue.
GHSA
GHSA-76r4-g8fm-62pc: Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, and Windows 8
ghsa_unreviewed·2022-05-14
CVE-2016-0185 [HIGH] CWE-20 GHSA-76r4-g8fm-62pc: Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, and Windows 8
Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, and Windows 8.1 allows remote attackers to execute arbitrary code via a crafted Media Center link (aka .mcl) file, aka "Windows Media Center Remote Code Execution Vulnerability."
VulnCheck
Microsoft Windows Media Center Remote Code Execution Vulnerability
vulncheck·2016·CVSS 7.8
CVE-2016-0185 [HIGH] CWE-20 Microsoft Windows Media Center Remote Code Execution Vulnerability
Microsoft Windows Media Center Remote Code Execution Vulnerability
Microsoft Windows Media Center contains a remote code execution vulnerability when Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-05-03
No detection rules found.
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Talos
Microsoft Patch Tuesday - May 2016
blogs_talos·2016-05-10·CVSS 7.5
[HIGH] Microsoft Patch Tuesday - May 2016
## Microsoft Patch Tuesday - May 2016
This post is authored by Holger Unterbrink .
Patch Tuesday for May 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 16 bulletins addressing 33 vulnerabilities. Eight bulletins are rated critical, addressing vulnerabilities in Edge, Internet Explorer, Office, Graphic Components, VBScript, and Windows Shell. The remaining bulletins are rated important and address vulnerabilities in Internet Explorer, Office, Windows Kernel, IIS, Media Center, Hyper-V, .NET, and several other Windows components.
## Bulletins Rated Critical Vulnerabilities in Microsoft bulletins MS16-051 through MS16-057 and MS16-064 are rated as critical in
Talos
Microsoft Patch Tuesday - May 2016
blogs_talos·2016-05-10·CVSS 7.5
[HIGH] Microsoft Patch Tuesday - May 2016
This post is authored by Holger Unterbrink.
Patch Tuesday for May 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 16 bulletins addressing 33 vulnerabilities. Eight bulletins are rated critical, addressing vulnerabilities in Edge, Internet Explorer, Office, Graphic Components, VBScript, and Windows Shell. The remaining bulletins are rated important and address vulnerabilities in Internet Explorer, Office, Windows Kernel, IIS, Media Center, Hyper-V, .NET, and several other Windows components.
## Bulletins Rated CriticalVulnerabilities in Microsoft bulletins MS16-051 through MS16-057 and MS16-064 are rated as critical in this month's release.
MS16-051and MS16-
http://www.securityfocus.com/bid/90023http://www.securitytracker.com/id/1035832http://www.zerodayinitiative.com/advisories/ZDI-16-277https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-059https://www.exploit-db.com/exploits/39805/http://www.securityfocus.com/bid/90023http://www.securitytracker.com/id/1035832http://www.zerodayinitiative.com/advisories/ZDI-16-277https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-059https://www.exploit-db.com/exploits/39805/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0185
2016-05-11
Published
2021-11-03
Added to CISA KEV
Exploited in the wild