CVE-2005-4560

EXPLOITED IN THE WILD

Windows 2003 Server and XP - Remote Code Execution via Crafted WMF SETABORTPROC GDI Escape

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2005-4560 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 2 public exploits from researchers including Metasploit, hdm, including a Metasploit module exploits/windows/browser/ms06_001_wmf_setabortproc.

AI-analyzed exploit summary This Metasploit module exploits CVE-2005-4560 by crafting a malicious WMF file that leverages the 'Escape' metafile function to execute arbitrary code via the SetAbortProc procedure. It generates a random WMF record stream for each request to bypass simple signature detection.

Description

The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16612

This Metasploit module exploits CVE-2005-4560 by crafting a malicious WMF file that leverages the 'Escape' metafile function to execute arbitrary code via the SetAbortProc procedure. It generates a random WMF record stream for each request to bypass simple signature detection.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows XP/2003/Vista (GDI library)
No auth needed
Prerequisites: Target must process the malicious WMF file (e.g., via web browser or file download)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by hdm · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms06_001_wmf_setabortproc.rb

This Metasploit module exploits CVE-2005-4560 by crafting a malicious WMF file that leverages the 'Escape' metafile function to execute arbitrary code via the SetAbortProc procedure. It generates a random WMF record stream for each request to bypass detection.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows XP/2003/Vista GDI library
No auth needed
Prerequisites: Target system must process the malicious WMF file · Network access to deliver the payload
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (37)

Core 37
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/420367/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/420378/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1492
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/420357/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1564
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/18255
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1612
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2005/3086
Exploit vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1015416
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/420351/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/420446/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/23846
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/18364
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/420773/100/0/threaded
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/18415
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/420664/30/7730/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/420687/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/420682/100/0/threaded
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/18311
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA05-362A.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/420546/30/7730/threaded
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1431
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/420288/100/0/threaded
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/181038
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1460
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/16074
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/420684/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1433
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA06-005A.html

Scores

EPSS 0.9027
EPSS Percentile 99.6%

Details

VulnCheck KEV 2005-12-28
InTheWild.io 2018-10-19
CWE
CWE-20
Status published
Products (5)
microsoft/windows_2003_server enterprise (2 CPE variants)
microsoft/windows_2003_server r2 (2 CPE variants)
microsoft/windows_2003_server standard (2 CPE variants)
microsoft/windows_2003_server web (2 CPE variants)
microsoft/windows_xp (8 CPE variants)
Published Dec 28, 2005
Tracked Since Feb 18, 2026