cbcvebase.
CVE-2018-0824
published 2018-05-09

CVE-2018-0824: A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM for Windows…

PriorityP189high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-08-26
Exploited in the wild
EPSS
73.47%
99.4th percentile
A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM for Windows Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

Affected

17 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1607
msrcwindows_10_version_1703
msrcwindows_10_version_1709
msrcwindows_10_version_1803
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_server_version_1709
msrcwindows_server_version_1803

Detection & IOCsextracted from sources · hover to see the quote

ip103.56.114[.]69
urlhttp://103.56.114[.]69:8085/p.ps1
urlhttps://www.nss.com[.]tw/p.ps1
urlhttps://www.nss.com[.]tw/1.hta
urlhttps://www.nss.com[.]tw/calc.exe
domainwww.nss.com[.]tw
pathC:/www/un/imjp14k.dll
pathC:/www/un/service.exe
pathC:/www/un/imjp14k.dll.dat
pathC:/Users/Public/calc.exe
pathC:/Users/Public/imjp14k.dll
pathC:/Users/Public/log.dll
filenameimjp14k.dll
port8085
registryhklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64
hash9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
hashc67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
hash161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d
hash24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe
hashbea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a
  • APT41 used a tailored loader to inject a CVE-2018-0824 PoC (UnmarshalPwn) directly into memory for local privilege escalation — hunt for in-memory injection of COM deserialization exploit code rather than on-disk PoC binaries.
  • The exploit tool used to trigger CVE-2018-0824 is named 'UnmarshalPwn' — alert on process creation or file presence of this tool name.
  • The Cobalt Strike loader is based on the open-source anti-AV project 'CS-Avoid-Killing' hosted on GitHub and written in Simplified Chinese — hunt for GoLang-compiled Cobalt Strike loaders with embedded Simplified Chinese strings.
  • Talos released ClamAV signatures and Snort rules specifically to detect ShadowPad malware and Cobalt Strike beacons used by APT41 in this campaign — ensure these are deployed.
  • The Metasploit post-exploitation module 'post/windows/escalate/unmarshal_cmd_exec' exploits CVE-2018-0824 — monitor for this module's execution artifacts on Windows endpoints.
  • ·The hashes listed in the Talos newsletter are from general weekly telemetry (Coinminer, PUA droppers, KMSAuto, Scar dropper) and are NOT directly attributed to CVE-2018-0824 exploitation — treat them as co-occurring campaign IOCs, not exploit-specific indicators.
  • ·The C2 IP 103.56.114[.]69 was originally reported by Symantec in an April 2022 campaign; its reuse in the 2023 campaign is noted but infrastructure may have changed hands — validate before blocking.
  • ·The domain www.nss.com[.]tw is described as a 'compromised' legitimate C2 server, not attacker-owned infrastructure — blocking it may affect legitimate traffic to the original site owner.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.