CVE-2012-0003

HIGH EXPLOITED

Windows Multimedia Library - Remote Code Execution via Crafted MIDI File

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2012-0003 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including Metasploit, k0keoyo, Shane Garrett, juan vazquez, sinn3r, including a Metasploit module exploits/windows/browser/ms12_004_midi.

AI-analyzed exploit summary This Metasploit module exploits a heap overflow in Windows Multimedia Library (winmm.dll) via a crafted MIDI file, achieving remote code execution through Windows Media Player's ActiveX control. It targets specific IE versions on Windows XP SP3, using ROP for DEP bypass in IE 8.

Description

Unspecified vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via a crafted MIDI file, aka "MIDI Remote Code Execution Vulnerability."

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/18426

This Metasploit module exploits a heap overflow in Windows Multimedia Library (winmm.dll) via a crafted MIDI file, achieving remote code execution through Windows Media Player's ActiveX control. It targets specific IE versions on Windows XP SP3, using ROP for DEP bypass in IE 8.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Windows XP SP3 with Internet Explorer 6/7/8 and Windows Media Player
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit · Java Runtime Environment (JRE) for DEP bypass on IE 8
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Shane Garrett, juan vazquez, sinn3r · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms12_004_midi.rb

This Metasploit module exploits a heap overflow in Windows Multimedia Library (winmm.dll) via crafted MIDI files, achieving remote code execution through the Windows Media Player ActiveX control. It leverages type confusion in tagVARIANT objects to execute arbitrary code.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Windows XP SP3 with IE 6/7/8 and Windows Media Player
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit · Windows Media Player ActiveX control must be enabled
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14337
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA12-010A.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/47485
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/51292
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1026492

Scores

CVSS v3 8.1
EPSS 0.8801
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

VulnCheck KEV 2012-01-26
Status published
Products (7)
microsoft/windows_7 (3 CPE variants)
microsoft/windows_server_2003
microsoft/windows_server_2008 (3 CPE variants)
microsoft/windows_server_2008 r2 (2 CPE variants)
microsoft/windows_vista
microsoft/windows_xp (2 CPE variants)
microsoft/windows_xp 2005 sp3
Published Jan 10, 2012
Tracked Since Feb 18, 2026