CVE-2006-3730

HIGH EXPLOITED

Microsoft IE - Code Injection

Title source: rule
STIX 2.1

Exploitation Summary

CVE-2006-3730 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including Metasploit, LukeHack, YAG KOHHA, including a Metasploit module exploits/windows/browser/ms06_057_webview_setslice.

AI-analyzed exploit summary This is a Metasploit module exploiting a buffer overflow in the WebViewFolderIcon ActiveX control (CVE-2006-3730) via a malicious HTML page. It uses heap spraying and a vulnerable ActiveX method to achieve remote code execution.

Description

Integer overflow in Microsoft Internet Explorer 6 on Windows XP SP2 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a 0x7fffffff argument to the setSlice method on a WebViewFolderIcon ActiveX object, which leads to an invalid memory copy.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16564

This is a Metasploit module exploiting a buffer overflow in the WebViewFolderIcon ActiveX control (CVE-2006-3730) via a malicious HTML page. It uses heap spraying and a vulnerable ActiveX method to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Internet Explorer with WebViewFolderIcon ActiveX control (Windows 2000, XP, 2003)
No auth needed
Prerequisites: Target must visit a malicious webpage · ActiveX control must be enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by LukeHack · cremotewindows
https://www.exploit-db.com/exploits/2460

This exploit targets a vulnerability in Microsoft Internet Explorer's WebViewFolderIcon ActiveX control (CVE-2006-3730) via a heap spray technique to achieve remote code execution. It generates an HTML file with malicious JavaScript that triggers the vulnerability when loaded in IE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer 6.0 SP1 on Windows XP SP2
No auth needed
Prerequisites: Victim must open the generated HTML file in a vulnerable version of Internet Explorer
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by YAG KOHHA · perlremotewindows
https://www.exploit-db.com/exploits/2458

This exploit targets a vulnerability in Microsoft Internet Explorer's WebViewFolderIcon ActiveX control via a heap spray technique to achieve remote code execution. The shellcode downloads and executes a payload from a remote URL.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer (WebViewFolderIcon ActiveX control)
No auth needed
Prerequisites: Victim must visit a malicious webpage · ActiveX controls must be enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by jamikazu · htmlremotewindows
https://www.exploit-db.com/exploits/2448

This exploit targets a vulnerability in Microsoft Internet Explorer's WebViewFolderIcon ActiveX control (CVE-2006-3730) via a heap spray technique to achieve remote code execution. It sprays the heap with NOP sleds and shellcode to invoke calc.exe as a proof of concept.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer on Windows XP (including SP2)
No auth needed
Prerequisites: Victim must visit a malicious webpage using Internet Explorer with ActiveX enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by H D Moore · rubyremotewindows
https://www.exploit-db.com/exploits/2440

This exploit targets a buffer overflow vulnerability in the WebViewFolderIcon ActiveX control (CVE-2006-3730) via a malicious HTML page. It leverages the setSlice() method to trigger memory corruption and execute arbitrary shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Internet Explorer with WebViewFolderIcon ActiveX control (Windows 2000, XP, 2003)
No auth needed
Prerequisites: Victim must visit a malicious webpage using Internet Explorer with the vulnerable ActiveX control enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by hdm · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms06_057_webview_setslice.rb

This Metasploit module exploits a buffer overflow in the WebViewFolderIcon ActiveX control (CVE-2006-3730) via a crafted HTML page with JavaScript that triggers the vulnerability, leading to remote code execution on vulnerable Windows systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer (WebViewFolderIcon ActiveX control) on Windows 2000, XP, and 2003
No auth needed
Prerequisites: Victim must visit a malicious webpage or open a crafted HTML file · ActiveX controls must be enabled in Internet Explorer
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (20)

Core 20
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/27804
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1016941
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA06-283A.html
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA06-270A.html
Third Party Advisory, VDB Entry vendor-advisory x_refsource_hp
http://www.securityfocus.com/archive/1/449179/100/0/threaded
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/753044
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/447174/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A339
Various Sources x_refsource_misc
http://isc.sans.org/diary.php?storyid=1742
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/447383/100/100/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/447426/100/0/threaded
Various Sources x_refsource_misc
http://riosec.com/msie-setslice-vuln
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/27110
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/19030
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/2882
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/2440
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/447490/100/0/threaded
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22159

Scores

CVSS v3 8.8
EPSS 0.8607
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

VulnCheck KEV 2006-10-10
CWE
CWE-94
Status published
Products (2)
microsoft/ie 6.0 sp1
microsoft/internet_explorer 6.0
Published Jul 21, 2006
Tracked Since Feb 18, 2026