CVE-2010-2568

HIGH KEV

Windows Shell - Remote Code Execution via Crafted .LNK or .PIF Shortcut Files

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2010-2568 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added September 15, 2022. EIP tracks 4 public exploits from researchers including Metasploit, hdm, jduck, B_H, including a Metasploit module exploits/windows/smb/ms10_046_shortcut_icon_dllloader.

AI-analyzed exploit summary This Metasploit module exploits CVE-2010-2568 by creating a malicious WebDAV service that serves a crafted .LNK file and a malicious DLL. When a victim accesses the UNC path, the vulnerability in Windows Shell LNK handling triggers arbitrary code execution.

Description

Windows Shell in Microsoft Windows XP SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 allows local users or remote attackers to execute arbitrary code via a crafted (1) .LNK or (2) .PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE-2010-2772 in Siemens WinCC SCADA systems.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16574

This Metasploit module exploits CVE-2010-2568 by creating a malicious WebDAV service that serves a crafted .LNK file and a malicious DLL. When a victim accesses the UNC path, the vulnerability in Windows Shell LNK handling triggers arbitrary code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Shell (affected versions prior to MS10-046 patch)
No auth needed
Prerequisites: Victim must access a UNC path pointing to the attacker's WebDAV server · Target system must be unpatched for CVE-2010-2568
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
localwindows
https://www.exploit-db.com/exploits/14403

This exploit demonstrates CVE-2010-2568, a Windows Shell LNK file vulnerability that allows arbitrary code execution via a maliciously crafted shortcut file. The PoC triggers a vulnerability in shell32.dll by loading a malicious DLL through a specially crafted .lnk file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (tested on XP SP3)
No auth needed
Prerequisites: Victim interaction to open the malicious .lnk file
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by hdm, jduck, B_H · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb

This Metasploit module exploits CVE-2010-2568 by generating a malicious .LNK file that references a DLL payload hosted on an SMB share. When the LNK file is accessed, Windows automatically loads the DLL, leading to arbitrary code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Shell (affected versions prior to MS10-046 patch)
No auth needed
Prerequisites: SMB share access to host the malicious DLL · Delivery mechanism for the .LNK file to the target
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by hdm, jduck, B_H · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms10_046_shortcut_icon_dllloader.rb

This Metasploit module exploits CVE-2010-2568 by serving a malicious .LNK file and DLL via a WebDAV server, achieving remote code execution when a victim accesses the UNC path.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Shell (affected versions prior to MS10-046 patch)
No auth needed
Prerequisites: Victim must access the UNC path (e.g., via network share or USB) · WebDAV service must be reachable by the victim
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (15)

Core 15
Core References
Exploit, Issue Tracking x_refsource_misc
http://isc.sans.edu/diary.html?storyid=9181
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA10-222A.html
Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/940193
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/40647
Broken Link, Patch, Vendor Advisory x_refsource_confirm
http://www.microsoft.com/technet/security/advisory/2286198.mspx
Issue Tracking x_refsource_misc
http://isc.sans.edu/diary.html?storyid=9190
Broken Link, Exploit, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/41732
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1024216
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-046

Scores

CVSS v3 7.8
EPSS 0.9213
EPSS Percentile 99.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-09-15
VulnCheck KEV 2010-10-01
InTheWild.io 2018-01-16
ENISA EUVD EUVD-2010-2572
Status published
Products (6)
microsoft/windows_7
microsoft/windows_server_2003
microsoft/windows_server_2008 (2 CPE variants)
microsoft/windows_server_2008 r2 (2 CPE variants)
microsoft/windows_vista (2 CPE variants)
microsoft/windows_xp (2 CPE variants)
Published Jul 22, 2010
KEV Added Sep 15, 2022
Tracked Since Feb 18, 2026