cbcvebase.
CVE-2017-8750
published 2017-09-13

CVE-2017-8750: Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, and Microsoft Edge and…

PriorityP273high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
9.20%
94.7th percentile
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, and Microsoft Edge and Internet Explorer in Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browsers access objects in memory, aka "Microsoft Browser Memory Corruption Vulnerability".

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
msrcinternet_explorer_11
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

domainappswonder[.]info
domainpikrpro[.]eu
hashf1a54dca2fdfe59ec3f537148460364fb5d046c9b4e7db5fc819a9732ae0e063
hash434d34c0502910c562f5c6840694737a2c82a8c44004fa58c7c457b08aac17bd
domaintwitck[.]com
  • CVE-2017-8750 exploitation arrives via malicious RTF file delivering a VB backdoor; hunt for RTF files spawning VB-based processes or making outbound connections to appswonder[.]info
  • Malicious RTF samples exploiting CVE-2017-8750 are detected under Trend Micro signatures TROJ_CVE201711882.AG and Mal_CVE20170199-2; use these as hunt pivots in AV telemetry
  • The exploit payload (TROJ_POWLOAD.GAA) uses a PowerShell script containing two base64-encoded URLs — one for a decoy document and one for the actual payload; detect base64-encoded dual-URL patterns in PowerShell command lines
  • ·The C&C domain appswonder[.]info and referfile[.]com were also reported by Talos in separate campaigns (iOS MDM and VB/Delphi backdoor campaigns), so detections on these domains may fire across multiple threat actor clusters beyond just CVE-2017-8750 exploitation

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vulncheck7.5HIGH
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.