cbcvebase.
CVE-2019-0784
published 2019-04-09

CVE-2019-0784: A remote code execution vulnerability exists in the way that the ActiveX Data objects (ADO) handles objects in memory, aka 'Windows ActiveX Remote Code…

PriorityP273high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
8.26%
94.2th percentile
A remote code execution vulnerability exists in the way that the ActiveX Data objects (ADO) handles objects in memory, aka 'Windows ActiveX Remote Code Execution Vulnerability'.

Affected

43 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered via a specially crafted website exploited through Internet Explorer — monitor for suspicious IE-initiated process activity or memory corruption events in msado*.dll / ADO components.
  • Attack vector includes ActiveX controls marked 'safe for initialization' embedded in Office documents or applications hosting the IE rendering engine — inspect Office documents for embedded ActiveX controls invoking ADO objects.
  • Compromised or attacker-controlled websites serving user-provided content or advertisements are a delivery vector — consider alerting on IE navigating to sites with unusual ActiveX instantiation of ADO objects.
  • ·Exploit status at time of advisory was 'Exploitation Less Likely' for both latest and older software releases, and not yet publicly disclosed or exploited in the wild — detection priority may be lower but should not be dismissed.
  • ·Exploitation grants only the rights of the current user — impact is reduced if users are not running with administrative privileges (least-privilege enforcement is a meaningful mitigation).

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vulncheck7.5HIGH
vendor_msrc4.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.