CVE-2013-0074

HIGH KEV RANSOMWARE

Microsoft Silverlight <5.1.20125.0 - RCE

Title source: llm

Exploitation Summary

CVE-2013-0074 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 25, 2022, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including Metasploit, James Forshaw, Vitaliy Toropov, juan vazquez, including a Metasploit module exploits/windows/browser/ms13_022_silverlight_script_object.

AI-analyzed exploit summary This Metasploit module exploits CVE-2013-0074, a memory corruption vulnerability in Microsoft Silverlight's COALineDashStyleArray, combined with an info leak (CVE-2013-3896) to bypass DEP/ASLR. It delivers a malicious XAP file to achieve arbitrary code execution on Windows systems via Internet Explorer.

Description

Microsoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0 does not properly validate pointers during HTML object rendering, which allows remote attackers to execute arbitrary code via a crafted Silverlight application, aka "Silverlight Double Dereference Vulnerability."

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/29858

View Code ZIP pw:eip

This Metasploit module exploits CVE-2013-0074, a memory corruption vulnerability in Microsoft Silverlight's COALineDashStyleArray, combined with an info leak (CVE-2013-3896) to bypass DEP/ASLR. It delivers a malicious XAP file to achieve arbitrary code execution on Windows systems via Internet Explorer.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft Silverlight (versions affected by MS13-022 and MS13-087)

No auth needed

Prerequisites: Victim must visit a malicious webpage using Internet Explorer with Silverlight installed

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocalwindows

https://www.exploit-db.com/exploits/41702

View Code ZIP pw:eip

This Metasploit module exploits CVE-2013-3896, a vulnerability in Microsoft Silverlight's ScriptObject Initialize() method, which allows unsafe memory access leading to arbitrary code execution. It bypasses DEP/ASLR using a secondary vulnerability in the WriteableBitmap class and has been tested on IE6-IE10 and Windows XP/7.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft Silverlight (versions affected by MS13-022 and MS13-087)

No auth needed

Prerequisites: Target must have vulnerable Silverlight installed · Target must visit a malicious webpage hosting the exploit

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC NORMAL

by James Forshaw, Vitaliy Toropov, juan vazquez · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms13_022_silverlight_script_object.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2013-0074, a memory corruption vulnerability in Microsoft Silverlight's ScriptObject Initialize() method, combined with an info leak (CVE-2013-3896) to bypass DEP/ASLR. It delivers a malicious XAP file and DLL to achieve arbitrary code execution on vulnerable Windows systems.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft Silverlight (versions affected by MS13-022)

No auth needed

Prerequisites: Victim must visit a malicious webpage with Silverlight installed · Target must be using Internet Explorer (IE6-IE10) on Windows XP SP3 or Windows 7 SP1

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →