CVE-2012-1889

HIGH KEV

Microsoft XML Core Services 3.0, 4.0, 5.0, 6.0 - Remote Code Execution via Uninitialized Memory Access

Title source: llm

Exploitation Summary

CVE-2012-1889 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 8, 2022. EIP tracks 4 public exploits from researchers including Metasploit, whu-enjoy, l-iberty, including a Metasploit module exploits/windows/browser/msxml_get_definition_code_exec.

AI-analyzed exploit summary This Metasploit module exploits a memory corruption vulnerability in Microsoft XML Core Services (MSXML) via uninitialized memory access in the getDefinition API, leading to remote code execution on vulnerable IE versions.

Description

Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 accesses uninitialized memory locations, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/19186

View Code ZIP pw:eip

This Metasploit module exploits a memory corruption vulnerability in Microsoft XML Core Services (MSXML) via uninitialized memory access in the getDefinition API, leading to remote code execution on vulnerable IE versions.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft XML Core Services (MSXML) 3.0-6.0, Internet Explorer 6-9

No auth needed

Prerequisites: Vulnerable version of MSXML/IE · User interaction (visiting malicious page)

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 4 stars

by whu-enjoy · client-side

https://github.com/whu-enjoy/CVE-2012-1889

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2012-1889, which targets a vulnerability in Microsoft XML Core Services. The exploit includes shellcode conversion tools and a test harness for validating the shellcode.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft XML Core Services (MSXML)

No auth needed

Prerequisites: Vulnerable version of MSXML · Ability to deliver malicious HTML/JavaScript to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by l-iberty · poc

https://github.com/l-iberty/cve-2012-1889

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2012-1889, targeting a stack-based buffer overflow in Microsoft XML Core Services (MSXML) via IE8. It includes detailed analysis, heap spray techniques, and a shellcode generator for achieving remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft XML Core Services (MSXML) via Internet Explorer 8

No auth needed

Prerequisites: Windows 7 32-bit · Internet Explorer 8 · MSXML3.dll vulnerability

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GOOD

by inking26, binjo, sinn3r, juan vazquez · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a memory corruption vulnerability in Microsoft XML Core Services (MSXML) via the getDefinition API, leading to remote code execution. It includes ROP chains and heap spraying techniques to achieve reliable exploitation across multiple IE versions and Windows platforms.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft XML Core Services (MSXML) 3.0, Internet Explorer 6-9

No auth needed

Prerequisites: Victim must visit a malicious webpage or open a malicious HTML file · Java 6 may be required for certain targets

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (6)

Core 6

Core References

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-1889

Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert

http://www.us-cert.gov/cas/techalerts/TA12-192A.html

Vendor Advisory x_refsource_confirm

http://technet.microsoft.com/security/advisory/2719615

Broken Link vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15195

Patch, Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-043

Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert

http://www.us-cert.gov/cas/techalerts/TA12-174A.html

Scores

CVSS v3 8.8

EPSS 0.9312

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-06-08

VulnCheck KEV 2012-09-01

InTheWild.io 2015-09-09

ENISA EUVD EUVD-2012-1899

CWE

CWE-787

Status published

Products (4)

microsoft/xml_core_services 3.0

microsoft/xml_core_services 4.0

microsoft/xml_core_services 6.0

microsoft/xml_core_services 5.0

Published Jun 13, 2012

KEV Added Jun 08, 2022

Tracked Since Feb 18, 2026