CVE-2013-3918

HIGH KEV

Microsoft Windows - Remote Code Execution via InformationCardSigninHelper ActiveX Control

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2013-3918 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 6, 2025. EIP tracks 2 public exploits from researchers including Metasploit, Unknown, juan vazquez, including a Metasploit module exploits/windows/browser/ms13_090_cardspacesigninhelper.

AI-analyzed exploit summary This Metasploit module exploits an integer underflow vulnerability in the CardSpaceClaimCollection ActiveX control (icardie.dll) via a crafted HTML page. It achieves remote code execution by corrupting memory through a SafeArray manipulation technique.

Description

The InformationCardSigninHelper Class ActiveX control in icardie.dll in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via a crafted web page that is accessed by Internet Explorer, as exploited in the wild in November 2013, aka "InformationCardSigninHelper Vulnerability."

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/29857

This Metasploit module exploits an integer underflow vulnerability in the CardSpaceClaimCollection ActiveX control (icardie.dll) via a crafted HTML page. It achieves remote code execution by corrupting memory through a SafeArray manipulation technique.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft CardSpaceClaimCollection ActiveX (icardie.dll) on Windows XP with IE 8
No auth needed
Prerequisites: Target must visit a malicious webpage · ActiveX control must be enabled in IE
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Unknown, juan vazquez · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms13_090_cardspacesigninhelper.rb

This Metasploit module exploits an integer underflow vulnerability in the CardSpaceClaimCollection ActiveX control (icardie.dll) to achieve remote code execution on Windows XP with IE 8. The exploit manipulates the SafeArray length field to corrupt memory and execute arbitrary payloads via VBScript and JavaScript.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Internet Explorer 8 on Windows XP with ActiveX control (icardie.dll)
No auth needed
Prerequisites: Target must be using Windows XP with IE 8 · ActiveX control must be enabled · Target must visit a malicious webpage
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/ncas/alerts/TA13-317A
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-090
Third Party Advisory x_refsource_misc
https://isc.sans.edu/forums/diary/16985

Scores

CVSS v3 8.8
EPSS 0.8847
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-10-06
VulnCheck KEV 2013-11-12
InTheWild.io 2019-05-14
ENISA EUVD EUVD-2013-3850
CWE
CWE-787
Status published
Products (12)
microsoft/windows_7 (2 CPE variants)
microsoft/windows_8
microsoft/windows_8.1
microsoft/windows_rt
microsoft/windows_rt_8.1
microsoft/windows_server_2003
microsoft/windows_server_2008 r2 sp1 (2 CPE variants)
microsoft/windows_server_2008 sp2
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
... and 2 more
Published Nov 12, 2013
KEV Added Oct 06, 2025
Tracked Since Feb 18, 2026