CVE-2010-1885

EXPLOITED

Windows XP and Windows Server 2003 - Remote Code Execution via Malformed hcp:// URL

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2010-1885 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including Metasploit, Tavis Ormandy, Tavis Ormandy, natron, including a Metasploit module exploits/windows/browser/ms10_042_helpctr_xss_cmd_exec.

AI-analyzed exploit summary This Metasploit module exploits CVE-2010-1885, a vulnerability in Microsoft Help Center that allows arbitrary command execution via a combination of XSS and improper input validation in the hcp:// protocol handler. It uses a multi-stage attack involving WebDAV, ASX files, and JavaScript to trigger payload execution.

Description

The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003 does not properly handle malformed escape sequences, which allows remote attackers to bypass the trusted documents whitelist (fromHCP option) and execute arbitrary commands via a crafted hcp:// URL, aka "Help Center URL Validation Vulnerability."

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16545

This Metasploit module exploits CVE-2010-1885, a vulnerability in Microsoft Help Center that allows arbitrary command execution via a combination of XSS and improper input validation in the hcp:// protocol handler. It uses a multi-stage attack involving WebDAV, ASX files, and JavaScript to trigger payload execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Help and Support Center (hcp:// protocol handler)
No auth needed
Prerequisites: Victim must visit a malicious web page or open a malicious file · Target system must have vulnerable Help Center version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Tavis Ormandy · textremotewindows
https://www.exploit-db.com/exploits/13808

The writeup details a vulnerability in Microsoft Windows Help Centre (CVE-2010-1885) where malformed escape sequences in hcp:// URLs bypass the whitelist due to an error in MPC::HexToNum(). This allows arbitrary help document access and potential XSS exploitation via sysinfomain.htm.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Theoretical
Target: Microsoft Windows Help Centre (helpctr.exe 5.1.2600.5512)
No auth needed
Prerequisites: Access to a system with vulnerable Windows Help Centre · Ability to craft malicious hcp:// URLs
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Tavis Ormandy, natron · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms10_042_helpctr_xss_cmd_exec.rb

This Metasploit module exploits CVE-2010-1885, a vulnerability in Microsoft Help Center that allows arbitrary command execution via a combination of XSS and improper input validation in the 'hcp://' protocol handler. It sets up an HTTP server to deliver a malicious payload through crafted ASX and HTML files, targeting Internet Explorer and Windows Media Player.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Help Center (Windows XP SP2/SP3, Windows Server 2003 SP2)
No auth needed
Prerequisites: Victim must visit a malicious webpage or open a crafted file · Target system must have vulnerable Microsoft Help Center installed
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (16)

Core 16
Core References
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/578319
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/511774/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/59267
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/511783/100/0/threaded
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/40725
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1024084
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/13808
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA10-194A.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11733
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/1417
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/40076

Scores

EPSS 0.9220
EPSS Percentile 99.7%

Details

VulnCheck KEV 2011-07-26
CWE
CWE-78
Status published
Products (3)
microsoft/windows_2003_server (2 CPE variants)
microsoft/windows_server_2003
microsoft/windows_xp (3 CPE variants)
Published Jun 15, 2010
Tracked Since Feb 18, 2026