cbcvebase.
CVE-2016-7201
published 2016-11-10

CVE-2016-7201: The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via…

PriorityP191high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
79.69%
99.6th percentile
The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-7200, CVE-2016-7202, CVE-2016-7203, CVE-2016-7208, CVE-2016-7240, CVE-2016-7242, and CVE-2016-7243.

Affected

7 ranges
VendorProductVersion rangeFixed in
msrcmicrosoft_edge_on_windows_10_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1511_for_x64-based_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_32-bit_systems
msrcmicrosoft_edge_on_windows_10_version_1607_for_x64-based_systems
msrcmicrosoft_edge_on_windows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

filenameFillFromPrototypes_TypeConfusion.html
filenameFillFromPrototypes_TypeConfusion_NoSC.html
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B641"; flow:established,to_client; file.data; content:"VHJpZ2dlckZpbGxGcm9tUHJvdG90eXBlc0J1Z"; classtype:trojan-activity; sid:2023702; rev:4; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, cve CVE_2016_7200, deployment Perimeter, confidence Medium, signature_severity Critical, tag Exploit_Kit_Sundown, tag CISA_KEV, updated_at 2024_03_14;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B643"; flow:established,to_client; file.data; content:"UcmlnZ2VyRmlsbEZyb21Qcm90b3R5cGVzQnVn"; classtype:trojan-activity; sid:2023704; rev:3; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, cve CVE_2016_7200, deployment Perimeter, confidence Medium, signature_severity Critical, tag Exploit_Kit_Sundown, tag CISA_KEV, updated_at 2024_03_14;)
bytes
VHJpZ2dlckZpbGxGcm9tUHJvdG90eXBlc0J1Z
bytes
UcmlnZ2VyRmlsbEZyb21Qcm90b3R5cGVzQnVn
  • Network detection: Match HTTP response body for base64-encoded string 'VHJpZ2dlckZpbGxGcm9tUHJvdG90eXBlc0J1Z' (ET SID 2023702) indicating FillFromPrototypes exploit delivery for CVE-2016-7200/7201.
  • Network detection: Match HTTP response body for base64-encoded string 'UcmlnZ2VyRmlsbEZyb21Qcm90b3R5cGVzQnVn' (ET SID 2023704) as an alternate signature for the same FillFromPrototypes exploit.
  • The exploit abuses a Proxy handler's getPrototypeOf trap to trigger type confusion in chakra.dll's FillFromPrototypes code path; look for JavaScript using 'new Proxy' with a custom getPrototypeOf handler combined with Array.prototype.shift calls on mixed-type arrays.
  • The PoC exploit HTML file is named 'FillFromPrototypes_TypeConfusion.html' and executes WinExec notepad.exe as its payload; endpoint or proxy logs showing requests for this filename indicate active exploitation.
  • The exploit is tagged as associated with the Sundown Exploit Kit (tag Exploit_Kit_Sundown in ET metadata); correlate with other Sundown EK indicators when this signature fires.
  • ·Both ET Snort rules (SID 2023702 and 2023704) cover both CVE-2016-7200 and CVE-2016-7201 together; a match cannot distinguish which of the two CVEs is being exploited.
  • ·The public PoC exploit was tested specifically on Windows 10 Edge (modern.ie stable); effectiveness against other Edge versions or configurations is not confirmed by the source.
  • ·Microsoft's advisory notes exploit status as 'Publicly Disclosed: No; Exploited: No' at time of patch, but CISA KEV listing confirms subsequent in-the-wild exploitation with a remediation due date of 2022-04-18.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
ghsa8.8HIGH
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.