CVE-2007-2222

Microsoft Internet Explorer - Remote Code Execution via ActiveX Speech Control Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2007-2222. PoCs published by rgod.

AI-analyzed exploit summary This is a working proof-of-concept exploit for CVE-2007-2222, targeting a buffer overflow vulnerability in Microsoft Windows DirectSpeechSynthesis Module (XVoice.dll 4.0.4.2512). The exploit uses a crafted HTML file with VBScript to trigger the overflow and execute arbitrary shellcode, achieving remote code execution.

Description

Multiple buffer overflows in the (1) ActiveListen (Xlisten.dll) and (2) ActiveVoice (Xvoice.dll) speech controls, as used by Microsoft Internet Explorer 5.01, 6, and 7, allow remote attackers to execute arbitrary code via a crafted ActiveX object that triggers memory corruption, as demonstrated via the ModeName parameter to the FindEngine function in ACTIVEVOICEPROJECTLib.DirectSS.

Exploits (2)

exploitdb WORKING POC VERIFIED
by rgod · htmlremotewindows
https://www.exploit-db.com/exploits/4066

This is a working proof-of-concept exploit for CVE-2007-2222, targeting a buffer overflow vulnerability in Microsoft Windows DirectSpeechSynthesis Module (XVoice.dll 4.0.4.2512). The exploit uses a crafted HTML file with VBScript to trigger the overflow and execute arbitrary shellcode, achieving remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows DirectSpeechSynthesis Module (XVoice.dll 4.0.4.2512)
No auth needed
Prerequisites: Victim must open the crafted HTML file in Internet Explorer 6
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by rgod · htmlremotewindows
https://www.exploit-db.com/exploits/4065

This exploit targets a buffer overflow vulnerability in Microsoft Windows DirectSpeechSynthesis (XVoice.dll) and DirectSpeechRecognition (Xlisten.dll) modules. It leverages a Unicode-based SEH overwrite to execute arbitrary shellcode, adding an administrator account via Metasploit's JmpCallAdditive technique.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows DirectSpeechSynthesis (XVoice.dll) and DirectSpeechRecognition (Xlisten.dll) on Windows 2000 SP4 and XP
No auth needed
Prerequisites: Victim must visit a malicious webpage using Internet Explorer · ActiveX controls must be enabled or marked as safe for trusted callers
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/34630
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/35353
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/507433
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/25627
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/4065
Third Party Advisory, VDB Entry vendor-advisory x_refsource_hp
http://www.securityfocus.com/archive/1/471947/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/24426
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1018235
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/2153
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA07-163A.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2031

Scores

EPSS 0.5474
EPSS Percentile 98.9%

Details

CWE
CWE-119
Status published
Products (3)
microsoft/internet_explorer 5.01 sp4
microsoft/internet_explorer 6 sp1 (2 CPE variants)
microsoft/internet_explorer 7.0
Published Jun 12, 2007
Tracked Since Feb 18, 2026