CVE-2013-7331

MEDIUM KEV RANSOMWARE

Internet Explorer - Information Disclosure via Microsoft.XMLDOM ActiveX Error Codes

Title source: llm

Exploitation Summary

CVE-2013-7331 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 25, 2022, with confirmed use in ransomware campaigns. EIP tracks 1 public exploit from researchers including Soroush Dalili, sinn3r, including a Metasploit module auxiliary/gather/ms14_052_xmldom.

AI-analyzed exploit summary This Metasploit module exploits CVE-2013-7331 (MS14-052) to enumerate local filenames on a target machine via Internet Explorer 8/9 by abusing the Microsoft XMLDOM object's error messages. It sends a crafted HTML page to the victim and collects file existence data via an AJAX callback.

Description

The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes, as demonstrated by a res:// URL, and exploited in the wild in February 2014.

Exploits (1)

metasploit WORKING POC

by Soroush Dalili, sinn3r · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/ms14_052_xmldom.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2013-7331 (MS14-052) to enumerate local filenames on a target machine via Internet Explorer 8/9 by abusing the Microsoft XMLDOM object's error messages. It sends a crafted HTML page to the victim and collects file existence data via an AJAX callback.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Internet Explorer 8.0, 9.0

No auth needed

Prerequisites: Victim must visit a malicious webpage using IE 8/9 · Attacker must provide a list of target file paths

MITRE ATT&CK

T1119 - Automated Collection T1082 - System Information Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-7331

Exploit x_refsource_misc

https://soroush.secproject.com/blog/2013/04/microsoft-xmldom-in-ie-can-divulge-information-of-local-drivenetwork-in-error-messages/

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1030818

Patch, Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-052

Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/539289

Third Party Advisory x_refsource_misc

http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html

Scores

CVSS v3 6.5

EPSS 0.8181

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact partial

Details

CISA KEV 2022-05-25

VulnCheck KEV 2014-02-26

InTheWild.io 2019-05-14

ENISA EUVD EUVD-2013-7105

Ransomware Use Confirmed

CWE

CWE-209

Status published

Products (6)

microsoft/internet_explorer 6

microsoft/internet_explorer 7

microsoft/internet_explorer 8

microsoft/internet_explorer 9

microsoft/internet_explorer 10

microsoft/internet_explorer 11

Published Feb 26, 2014

KEV Added May 25, 2022

Tracked Since Feb 18, 2026