CVE-2006-4704

EXPLOITED

Microsoft Visual Studio .NET - Cross-Zone Scripting via WMI Object Broker ActiveX Control

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2006-4704 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Metasploit, hdm, including a Metasploit module exploits/windows/browser/ie_createobject.

AI-analyzed exploit summary This is a Metasploit module that exploits a code execution vulnerability in Internet Explorer by abusing vulnerable ActiveX objects. It targets CVE-2006-4704 (WMI Object Broker) and CVE-2006-0003 (MDAC) to achieve remote code execution.

Description

Cross-zone scripting vulnerability in the WMI Object Broker (WMIScriptUtils.WMIObjectBroker2) ActiveX control (WmiScriptUtils.dll) in Microsoft Visual Studio 2005 allows remote attackers to bypass Internet zone restrictions and execute arbitrary code by instantiating dangerous objects, aka "WMI Object Broker Vulnerability."

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16561

This is a Metasploit module that exploits a code execution vulnerability in Internet Explorer by abusing vulnerable ActiveX objects. It targets CVE-2006-4704 (WMI Object Broker) and CVE-2006-0003 (MDAC) to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Internet Explorer (versions up to 6.1)
No auth needed
Prerequisites: Victim must visit a malicious webpage · Vulnerable ActiveX objects must be present
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by hdm · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_createobject.rb

This Metasploit module exploits CVE-2006-4704 by abusing vulnerable ActiveX objects in Internet Explorer to achieve remote code execution. It uses a variety of CLSIDs to create objects and execute arbitrary commands via WScript.Shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer (versions up to 6.1)
No auth needed
Prerequisites: Victim must visit a malicious webpage · Vulnerable ActiveX controls must be present
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (17)

Core 17
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/20843
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/454201/100/0/threaded
Vendor Advisory vendor-advisory x_refsource_mskb
http://www.microsoft.com/technet/security/advisory/927709.mspx
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/20797
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA06-346A.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22603
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4282
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A288
Third Party Advisory, VDB Entry vendor-advisory x_refsource_hp
http://www.securityfocus.com/archive/1/454969/100/200/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1017142
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/854856
Third Party Advisory, VDB Entry x_refsource_misc
http://www.securityfocus.com/data/vulnerabilities/exploits/0day_ie.pdf
Third Party Advisory x_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-06-047.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/29915

Scores

EPSS 0.7491
EPSS Percentile 98.9%

Details

VulnCheck KEV 2007-01-09
Status published
Products (1)
microsoft/visual_studio_.net 2005
Published Nov 01, 2006
Tracked Since Feb 18, 2026