CVE-2008-0015

HIGH KEV

Microsoft Windows 2003 Server and XP - Remote Code Execution via MPEG2TuneRequest ActiveX Control

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2008-0015 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 17, 2026. EIP tracks 3 public exploits from researchers including Metasploit, David Kennedy (ReL1K), including a Metasploit module exploits/windows/browser/msvidctl_mpeg2.

AI-analyzed exploit summary This is a functional Metasploit exploit for CVE-2008-0015, targeting a memory corruption vulnerability in Microsoft DirectShow (msvidctl.dll) via a crafted GIF file. It achieves remote code execution by overrunning a buffer in the BDATuner.MPEG2TuneRequest component.

Description

Stack-based buffer overflow in the CComVariant::ReadFromStream function in the Active Template Library (ATL), as used in the MPEG2TuneRequest ActiveX control in msvidctl.dll in DirectShow, in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted web page, as exploited in the wild in July 2009, aka "Microsoft Video ActiveX Control Vulnerability."

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/16615

This is a functional Metasploit exploit for CVE-2008-0015, targeting a memory corruption vulnerability in Microsoft DirectShow (msvidctl.dll) via a crafted GIF file. It achieves remote code execution by overrunning a buffer in the BDATuner.MPEG2TuneRequest component.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft DirectShow (msvidctl.dll) on Windows XP SP0-SP3 with IE 6.0-7.0
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit · Target system must have vulnerable msvidctl.dll
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by David Kennedy (ReL1K) · pythonremotewindows
https://www.exploit-db.com/exploits/9108

This exploit targets a heap spray vulnerability in Microsoft Internet Explorer 7 via the DirectShow (msvidctl.dll) component. It delivers a bind shell payload encoded with Shikata Ga Nai to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer 7 (msvidctl.dll)
No auth needed
Prerequisites: Victim must visit a malicious web page · Target must be using Internet Explorer 7
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/msvidctl_mpeg2.rb

This Metasploit module exploits a memory corruption vulnerability in Microsoft DirectShow (msvidctl.dll) via a crafted GIF file, leading to arbitrary code execution. It targets Internet Explorer 6/7 on Windows XP SP2/SP3 by leveraging a buffer overflow in the BDATuner.MPEG2TuneRequest component.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft DirectShow (msvidctl.dll) on Windows XP SP2/SP3 with Internet Explorer 6/7
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit · Target system must have vulnerable msvidctl.dll
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (21)

Core 21
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/35558
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-223A.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/55651
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6333
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/35585
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36187
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7436
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/2232
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1022514
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-187A.html
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-195A.html
Exploit third-party-advisory x_refsource_iss
http://www.iss.net/threats/329.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6363
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/180513

Scores

CVSS v3 8.8
EPSS 0.8158
EPSS Percentile 99.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2026-02-17
VulnCheck KEV 2009-07-07
InTheWild.io 2018-10-12
ENISA EUVD EUVD-2008-0028
CWE
CWE-119 CWE-121
Status published
Products (2)
microsoft/windows_2003_server (3 CPE variants)
microsoft/windows_xp (3 CPE variants)
Published Jul 07, 2009
KEV Added Feb 17, 2026
Tracked Since Feb 18, 2026