CVE-2013-2551

HIGH KEV RANSOMWARE

Microsoft Internet Explorer <10 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2013-2551 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 28, 2022, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including Metasploit, Nicolas Joly, 4B5F5F4B, juan vazquez, sinn3r, including a Metasploit module exploits/windows/browser/ms13_037_svg_dashstyle.

AI-analyzed exploit summary This Metasploit module exploits an integer overflow vulnerability in Internet Explorer 8 on Windows 7 SP1 via the handling of the dashstyle.array length for VML shapes in vgx.dll. It uses heap spraying and ROP chains (either JRE or ntdll-based) to achieve remote code execution.

Description

Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013, aka "Internet Explorer Use After Free Vulnerability," a different vulnerability than CVE-2013-1308 and CVE-2013-1309.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/26175

This Metasploit module exploits an integer overflow vulnerability in Internet Explorer 8 on Windows 7 SP1 via the handling of the dashstyle.array length for VML shapes in vgx.dll. It uses heap spraying and ROP chains (either JRE or ntdll-based) to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Internet Explorer 8 on Windows 7 SP1
No auth needed
Prerequisites: Target must be using Internet Explorer 8 on Windows 7 SP1 · Java Runtime Environment (JRE) or specific ntdll.dll versions for ROP
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Nicolas Joly, 4B5F5F4B, juan vazquez, sinn3r · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb

This Metasploit module exploits an integer overflow vulnerability in Microsoft Internet Explorer (CVE-2013-2551) via a malformed VML shape dashstyle array, achieving remote code execution on Windows 7 SP1 with IE 8. It uses either JRE6 or an ntdll information leak to bypass ASLR.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Internet Explorer 8 on Windows 7 SP1
No auth needed
Prerequisites: Target must be using IE 8 on Windows 7 SP1 · Specific ntdll.dll versions (6.1.7601.17514 or 6.1.7601.17725) or JRE6 for ASLR bypass
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-037
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/ncas/alerts/TA13-134A

Scores

CVSS v3 8.8
EPSS 0.9241
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-28
VulnCheck KEV 2015-02-23
InTheWild.io 2022-03-28
ENISA EUVD EUVD-2013-2493
Ransomware Use Confirmed
CWE
CWE-416
Status published
Products (5)
microsoft/internet_explorer 6
microsoft/internet_explorer 7
microsoft/internet_explorer 8
microsoft/internet_explorer 9
microsoft/internet_explorer 10
Published Mar 11, 2013
KEV Added Mar 28, 2022
Tracked Since Feb 18, 2026