cbcvebase.
CVE-2018-8414
published 2018-08-15

CVE-2018-8414: A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths, aka "Windows Shell Remote Code Execution…

PriorityP186high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
73.97%
99.4th percentile
A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths, aka "Windows Shell Remote Code Execution Vulnerability." This affects Windows 10 Servers, Windows 10.

Affected

16 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_servers
microsoftwindows_10_servers
msrcwindows_10_version_1703_for_32-bit_systems
msrcwindows_10_version_1703_for_x64-based_systems
msrcwindows_10_version_1709_for_32-bit_systems
msrcwindows_10_version_1709_for_x64-based_systems
msrcwindows_10_version_1803_for_32-bit_systems
msrcwindows_10_version_1803_for_x64-based_systems
msrcwindows_server_version_1709
msrcwindows_server_version_1803

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor SettingContent-ms files for creation of new child processes, particularly PowerShell, cmd, mshta, certutil, bitsadmin, and WMI invocations originating from .settingcontent-ms file handling
  • Flag .settingcontent-ms files with unusually large file sizes, as Icon-tag-based payloads embed unlimited-length obfuscated scripts and will be larger than normal
  • Detect abuse of the Icon tag in SettingContent-ms files containing embedded scripts (e.g. ReflectivePEInjection, backdoors) beyond simple icon paths
  • Hunt for .settingcontent-ms files embedded inside PDF documents, as this delivery vector was observed in the wild dropping FlawedAmmyy RAT
  • Alert on PowerShell scripts executed via the DeepLink tag of a SettingContent-ms file that download and execute remote payloads
  • ·The DeepLink tag in a malicious SettingContent-ms file accepts a maximum of 517 characters, limiting the complexity of directly embedded commands; longer payloads must use the Icon tag instead
  • ·The Icon tag in SettingContent-ms accepts unlimited characters, enabling arbitrarily long and obfuscated payloads; file icon will appear blank regardless of Icon tag content, making visual inspection unreliable
  • ·CVE-2018-8414 affects only Windows 10 and Windows 10 Servers; SettingContent-ms was first introduced in Windows 10

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc4.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.