CVE-2017-0290

HIGH

Microsoft Malware Protection Engine < 1.1.13701.0 - Remote Code Execution via Crafted File Scan

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2017-0290. PoCs published by Google Security Research, qazbnm456, xbl3.

AI-analyzed exploit summary This exploit leverages a type confusion vulnerability in the MsMpEng (Microsoft Malware Protection Engine) to achieve remote code execution. The vulnerability arises from the improper handling of the 'message' property in the JsDelegateObject_Error::toString() function, allowing arbitrary object types to be passed to JsRuntimeState::triggerShortStrEvent().

Description

The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 does not properly scan a specially crafted file leading to memory corruption, aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability."

Exploits (4)

exploitdb WORKING POC VERIFIED
by Google Security Research · textremotewindows
https://www.exploit-db.com/exploits/41975

This exploit leverages a type confusion vulnerability in the MsMpEng (Microsoft Malware Protection Engine) to achieve remote code execution. The vulnerability arises from the improper handling of the 'message' property in the JsDelegateObject_Error::toString() function, allowing arbitrary object types to be passed to JsRuntimeState::triggerShortStrEvent().

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Malware Protection Engine (MsMpEng) in Windows 8, 8.1, 10, and Windows Server 2012
No auth needed
Prerequisites: Access to write controlled content to disk (e.g., via email, web browser, or instant messaging)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WRITEUP 3,480 stars
by qazbnm456 · poc
https://github.com/qazbnm456/awesome-cve-poc/tree/master/CVE-2017-0290.md

This repository provides a detailed writeup and references for CVE-2017-0290, a type confusion vulnerability in the Microsoft Malware Protection Engine (MsMpEng). It includes links to the original PoC and technical analysis from Project Zero, but does not contain functional exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Malware Protection Engine (MsMpEng) on Windows 8, 8.1, 10, Windows Server, SCEP, Microsoft Security Essentials
No auth needed
Prerequisites: Target system running vulnerable version of MsMpEng
devstral-2 · analyzed Feb 27, 2026 Full analysis →
github WRITEUP 14 stars
by xbl3 · poc
https://github.com/xbl3/awesome-cve-poc_qazbnm456/tree/master/CVE-2017-0290.md

This repository provides a detailed writeup and references for CVE-2017-0290, a type confusion vulnerability in the Microsoft Malware Protection Engine (MsMpEng) that allows remote code execution. It includes links to the original Project Zero report and external analysis but does not contain functional exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Malware Protection Engine (MsMpEng) on Windows 8, 8.1, 10, Windows Server, SCEP, Microsoft Security Essentials
No auth needed
Prerequisites: Network access to a vulnerable system running MsMpEng
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec SUSPICIOUS
by homjxi0e · poc
https://github.com/homjxi0e/CVE-2017-0290-

The repository contains no functional exploit code or technical details, only a vague README with buzzwords and no substantive information about CVE-2017-0290. The content appears to be a social engineering lure.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Windows Defender (claimed)
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (10)

Core 10
Core References
Exploit, Third Party Advisory x_refsource_misc
https://bugs.chromium.org/p/project-zero/issues/detail?id=1252
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038420
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41975/
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038419
Exploit, Third Party Advisory x_refsource_misc
https://twitter.com/natashenka/status/861748397409058816
Patch, Vendor Advisory x_refsource_confirm
https://technet.microsoft.com/library/security/4022344
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/98330

Scores

CVSS v3 7.8
EPSS 0.7721
EPSS Percentile 99.5%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-119
Status published
Products (4)
microsoft/forefront_security
microsoft/malware_protection_engine < 1.1.13701.0
microsoft/windows_defender
Microsoft Corporation/Microsoft Malware Protection Engine Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows
Published May 09, 2017
Tracked Since Feb 18, 2026