CVE-2012-0158

HIGH KEV RANSOMWARE

Microsoft Office and Components - Remote Code Execution via Crafted File

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2012-0158 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including Metasploit, Sunqiz, RobertoLeonFR-ES, including a Metasploit module exploits/windows/fileformat/ms12_027_mscomctl_bof.

AI-analyzed exploit summary This is a Metasploit module exploiting a stack buffer overflow in MSCOMCTL.OCX via a malicious RTF file embedding the MSComctlLib.ListViewCtrl.2 ActiveX control. It targets Office 2007 and 2010, using a ROP chain for DEP/ASLR bypass on Office 2010.

Description

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/18780

This is a Metasploit module exploiting a stack buffer overflow in MSCOMCTL.OCX via a malicious RTF file embedding the MSComctlLib.ListViewCtrl.2 ActiveX control. It targets Office 2007 and 2010, using a ROP chain for DEP/ASLR bypass on Office 2010.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Office 2007 (no-SP/SP1/SP2/SP3) and Office 2010 SP1
No auth needed
Prerequisites: Victim must open the malicious RTF file in a vulnerable version of Microsoft Office
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Sunqiz · poc
https://github.com/Sunqiz/CVE-2012-0158-reproduction

This repository contains a proof-of-concept exploit for CVE-2012-0158, demonstrating a remote code execution vulnerability in Microsoft Windows. The exploit uses shellcode to load user32.dll and display a MessageBox, showcasing the ability to execute arbitrary code.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (multiple versions)
No auth needed
Prerequisites: Vulnerable Microsoft Windows system · Ability to deliver malicious file or exploit vector
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by RobertoLeonFR-ES · poc
https://github.com/RobertoLeonFR-ES/Exploit-Win32.CVE-2012-0158.F.doc

The repository contains only a README.md file with minimal information about an exploit for CVE-2012-0158, mentioning Microsoft Defender detection but no actual exploit code or technical details.

Classification
Writeup 30%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Microsoft Windows (unspecified version)
No auth needed
Prerequisites: none provided
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Unknown, juan vazquez, sinn3r · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms12_027_mscomctl_bof.rb

This Metasploit module exploits a stack buffer overflow in MSCOMCTL.OCX via a malicious RTF file embedding a crafted MSComctlLib.ListViewCtrl.2 control, targeting Office 2007 and 2010 with DEP/ASLR bypass techniques.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Office 2007/2010 (MSCOMCTL.OCX)
No auth needed
Prerequisites: Victim opens malicious RTF file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1026902
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1026899
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA12-101A.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1026904
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1026903
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1026905
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/52911
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/74372
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1026900

Scores

CVSS v3 8.8
EPSS 0.9431
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2012-01-01
InTheWild.io 2018-10-12
ENISA EUVD EUVD-2012-0196
Ransomware Use Confirmed
CWE
CWE-94
Status published
Products (16)
microsoft/biztalk_server 2002 sp1
microsoft/commerce_server 2002 sp4
microsoft/commerce_server 2007 sp2
microsoft/commerce_server_2009
microsoft/commerce_server_2009 r2
microsoft/office 2003 sp3
microsoft/office 2007 sp2 (2 CPE variants)
microsoft/office 2010 (3 CPE variants)
microsoft/office_web_components 2003 sp3
microsoft/sql_server_2000
... and 6 more
Published Apr 10, 2012
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026