CVE-2011-3402
HIGH KEV RANSOMWAREMicrosoft Windows - Remote Code Execution via TrueType Font Parsing
Title source: llmExploitation Summary
CVE-2011-3402 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 6, 2025, with confirmed use in ransomware campaigns.
Description
Unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page, as exploited in the wild in November 2011 by Duqu, aka "TrueType Font Parsing Vulnerability."
References (21)
Core 21
Core References
Third Party Advisory, US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2011-3402
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/49121
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15645
US Government Resource third-party-advisory
x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA12-164A.html
Various Sources x_refsource_misc
http://blogs.mcafee.com/mcafee-labs/the-day-of-the-golden-jackal-%E2%80%93-further-tales-of-the-stuxnet-files
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1027039
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/49122
Vendor Advisory vendor-advisory
x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-087
Third Party Advisory x_refsource_misc
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf
US Government Resource third-party-advisory
x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA11-347A.html
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13998
US Government Resource x_refsource_misc
http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-291-01E.pdf
Various Sources x_refsource_misc
http://www.securelist.com/en/blog/208193197/The_Mystery_of_Duqu_Part_Two
Vendor Advisory x_refsource_confirm
http://technet.microsoft.com/security/advisory/2639658
Vendor Advisory vendor-advisory
x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-034
Vendor Advisory vendor-advisory
x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-039
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15290
Various Sources x_refsource_misc
http://isc.sans.edu/diary/Duqu+Mitigation/11950
Third Party Advisory x_refsource_misc
http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit
US Government Resource third-party-advisory
x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA12-129A.html
Various Sources x_refsource_confirm
http://blogs.technet.com/b/msrc/archive/2011/11/03/microsoft-releases-security-advisory-2639658.aspx
Scores
CVSS v3
8.8
EPSS
0.8831
EPSS Percentile
99.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
no
Technical Impact
total
Details
CISA KEV
2025-10-06
VulnCheck KEV
2011-11-04
InTheWild.io
2020-09-28
ENISA EUVD
EUVD-2011-3365
Ransomware Use
Confirmed
Status
published
Products (5)
microsoft/windows_7
(4 CPE variants)
microsoft/windows_server_2003
(2 CPE variants)
microsoft/windows_server_2008
(5 CPE variants)
microsoft/windows_vista
(2 CPE variants)
microsoft/windows_xp
(4 CPE variants)
Published
Nov 04, 2011
KEV Added
Oct 06, 2025
Tracked Since
Feb 18, 2026