CVE-2016-0189

HIGH KEV RANSOMWARE

Microsoft JScript/VBScript <5.8 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2016-0189 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 28, 2022, with confirmed use in ransomware campaigns. EIP tracks 5 public exploits from researchers including Brian Pak, theori-io, deamwork, including a Metasploit module exploits/windows/browser/ms16_051_vbscript.

AI-analyzed exploit summary This is a functional proof-of-concept exploit for CVE-2016-0189, a VBScript memory corruption vulnerability in Internet Explorer 11. The exploit requires serving specific HTML and DLL files via a web server to trigger the vulnerability, potentially leading to remote code execution.

Description

The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0187.

Exploits (5)

exploitdb WORKING POC
by Brian Pak · textlocalwindows
https://www.exploit-db.com/exploits/40118

This is a functional proof-of-concept exploit for CVE-2016-0189, a VBScript memory corruption vulnerability in Internet Explorer 11. The exploit requires serving specific HTML and DLL files via a web server to trigger the vulnerability, potentially leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: Internet Explorer 11 on Windows 10
No auth needed
Prerequisites: Web server to host exploit files · Victim must visit the malicious page using IE11
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 114 stars
by theori-io · client-side
https://github.com/theori-io/cve-2016-0189

This repository contains a functional proof-of-concept exploit for CVE-2016-0189, a VBScript memory corruption vulnerability in Internet Explorer 11. The exploit includes support DLLs for local privilege escalation and a local HTTP server to serve the malicious payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Internet Explorer 11 on Windows 10
No auth needed
Prerequisites: Victim must visit a malicious webpage using Internet Explorer 11 · Local HTTP server to serve the exploit files
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 3 stars
by deamwork · client-side
https://github.com/deamwork/MS16-051-poc

This repository contains a functional proof-of-concept exploit for CVE-2016-0189, a VBScript memory corruption vulnerability in Internet Explorer 11. The exploit includes support DLLs for local privilege escalation via a local HTTP server and environment variable manipulation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: Internet Explorer 11 on Windows 10
No auth needed
Prerequisites: Victim must visit a malicious webpage using Internet Explorer 11 · Local HTTP server to serve exploit files
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Theori-lO · poc
https://github.com/Theori-lO/cve-2016-0189

This repository contains a functional proof-of-concept exploit for CVE-2016-0189, a VBScript memory corruption vulnerability in Internet Explorer 11. The exploit includes support DLLs for local privilege escalation via a local HTTP server and environment variable manipulation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Internet Explorer 11 on Windows 10
No auth needed
Prerequisites: Victim must browse to a malicious HTML file served via a local HTTP server · DLLs must be compiled or downloaded separately
devstral-2 · analyzed Apr 30, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Theori · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms16_051_vbscript.rb

This Metasploit module exploits a memory corruption vulnerability (CVE-2016-0189) in the VBScript engine of Internet Explorer 11. It uses a combination of heap spraying and memory manipulation to achieve remote code execution on vulnerable systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Internet Explorer 11 on Windows 10
No auth needed
Prerequisites: Victim must visit a malicious webpage using Internet Explorer 11
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (7)

Core 7
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/90012
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-051
Patch, Vendor Advisory vendor-advisory x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-053
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40118/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1035820

Scores

CVSS v3 7.5
EPSS 0.9316
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-28
VulnCheck KEV 2016-05-10
InTheWild.io 2016-05-10
ENISA EUVD EUVD-2016-0226
Ransomware Use Confirmed
CWE
CWE-787
Status published
Products (6)
microsoft/internet_explorer 9
microsoft/internet_explorer 10
microsoft/internet_explorer 11
microsoft/jscript 5.8
microsoft/vbscript 5.7
microsoft/vbscript 5.8
Published May 11, 2016
KEV Added Mar 28, 2022
Tracked Since Feb 18, 2026