CVE-2006-0005

EXPLOITED

Windows Media Player 9-10 - Remote Code Execution via Long EMBED src Attribute

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2006-0005 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including Matthew Murphy, H D Moore.

AI-analyzed exploit summary This exploit leverages a heap spray technique to exploit CVE-2006-0005 in Windows Media Player, allowing arbitrary code execution via a malicious HTML file. The shellcode creates an administrator account named 'wmp0wn3d' with a password of 'password'.

Description

Buffer overflow in the plug-in for Microsoft Windows Media Player (WMP) 9 and 10, when used in browsers other than Internet Explorer and set as the default application to handle media files, allows remote attackers to execute arbitrary code via HTML with an EMBED element containing a long src attribute.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Matthew Murphy · perlremotewindows
https://www.exploit-db.com/exploits/1520

This exploit leverages a heap spray technique to exploit CVE-2006-0005 in Windows Media Player, allowing arbitrary code execution via a malicious HTML file. The shellcode creates an administrator account named 'wmp0wn3d' with a password of 'password'.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows Media Player (versions affected by CVE-2006-0005)
No auth needed
Prerequisites: Vulnerable version of Windows Media Player · User interaction to open the malicious HTML file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by H D Moore · remotewindows
https://www.exploit-db.com/exploits/1504

This exploit targets a buffer overflow vulnerability in the Windows Media Player plugin for non-Microsoft browsers (CVE-2006-0005). It crafts a malicious HTML page with an embedded media file to trigger the overflow and execute arbitrary shellcode.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows Media Player 9 (non-Microsoft browsers)
No auth needed
Prerequisites: Victim must visit a malicious webpage using a vulnerable browser with the WMP plugin
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Matthew Murphy · htmlremotewindows
https://www.exploit-db.com/exploits/1505

This exploit targets a stack-based buffer overflow in the Windows Media Player plugin for non-Microsoft browsers via a maliciously crafted EMBED tag with an overly long SRC attribute. It leverages heap spraying and SEH overwrites to execute arbitrary shellcode, adding a local administrator account.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows Media Player 10 (via plugin for Firefox/Opera)
No auth needed
Prerequisites: Victim must visit a malicious webpage using Firefox/Opera with WMP plugin installed · Windows XP SP2 (or similar vulnerable OS)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/0575
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/16644
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/24493
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1015628
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/692060
Various Sources third-party-advisory x_refsource_idefense
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=393
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1559
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA06-045A.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/18852

Scores

EPSS 0.7552
EPSS Percentile 98.9%

Details

VulnCheck KEV 2010-05-01
CWE
CWE-119
Status published
Products (25)
microsoft/windows-nt datacenter_server (5 CPE variants)
microsoft/windows-nt xp sp2
microsoft/windows-nt xp_tablet_pc (3 CPE variants)
microsoft/windows_2000 (6 CPE variants)
microsoft/windows_2000_advanced_server
microsoft/windows_2000_advanced_server sp1
microsoft/windows_2000_advanced_server sp2
microsoft/windows_2000_advanced_server sp3
microsoft/windows_2000_advanced_server sp4
microsoft/windows_2003_server datacenter_edition
... and 15 more
Published Feb 14, 2006
Tracked Since Feb 18, 2026