CVE-2015-2509

Windows Media Center - Remote Code Execution via Crafted MCL File

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2015-2509. PoCs published by Metasploit, R-73eN, sinn3r, including Metasploit module exploits/windows/fileformat/ms15_100_mcl_exe.

AI-analyzed exploit summary This Metasploit module exploits CVE-2015-2509 by crafting a malicious .mcl file that triggers a UNC path download, leading to arbitrary code execution via Windows Media Center. The exploit generates a payload executable and embeds it in the MCL file for remote execution.

Description

Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8.1 allows user-assisted remote attackers to execute arbitrary code via a crafted Media Center link (mcl) file, aka "Windows Media Center RCE Vulnerability."

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/38195

This Metasploit module exploits CVE-2015-2509 by crafting a malicious .mcl file that triggers a UNC path download, leading to arbitrary code execution via Windows Media Center. The exploit generates a payload executable and embeds it in the MCL file for remote execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Media Center (versions affected by MS15-100)
No auth needed
Prerequisites: Victim must open the malicious .mcl file · SMB share access for UNC path
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by R-73eN · pythonremotewindows
https://www.exploit-db.com/exploits/38151

This exploit generates a malicious Music.mcl file that, when opened by Windows Media Center, executes an arbitrary command (e.g., calc.exe) due to improper XML parsing. It leverages CVE-2015-2509 to achieve remote code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Windows Media Center (Windows 7 Ultimate tested)
No auth needed
Prerequisites: Victim must open the malicious Music.mcl file in Windows Media Center
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by sinn3r · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms15_100_mcl_exe.rb

This Metasploit module exploits CVE-2015-2509 in Windows Media Center by crafting a malicious .mcl file that references a UNC path to execute a remote payload. The exploit generates a payload executable and an MCL file to trigger automatic remote file execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Windows Media Center (versions affected by MS15-100)
No auth needed
Prerequisites: Target system with vulnerable Windows Media Center installed · Network access to host the malicious payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/76594
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-100
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/38195/
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1033499
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/38151/

Scores

EPSS 0.7104
EPSS Percentile 99.3%

Details

CWE
CWE-284
Status published
Products (4)
microsoft/windows_7
microsoft/windows_8
microsoft/windows_8.1
microsoft/windows_vista
Published Sep 09, 2015
Tracked Since Feb 18, 2026