CVE-2017-8540

HIGH KEV

Microsoft Malware Protection Engine 1.1.13701.0-1.1.13704.0 - Remote Code Execution via Crafted File Scan

Title source: llm

Exploitation Summary

CVE-2017-8540 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022. EIP tracks 1 public exploit from researchers including Google Security Research.

AI-analyzed exploit summary This exploit leverages a garbage collection vulnerability in Microsoft Malware Protection Engine (MsMpEng) by triggering a GC during a callback where it should be disabled. The PoC uses a crafted JavaScript object with overridden toString and valueOf methods to force a GC via eval, leading to a use-after-free condition.

Description

The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016, Microsoft Exchange Server 2013 and 2016, does not properly scan a specially crafted file leading to memory corruption. aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability", a different vulnerability than CVE-2017-8538 and CVE-2017-8541.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · textdoswindows

https://www.exploit-db.com/exploits/42088

View Code ZIP pw:eip

This exploit leverages a garbage collection vulnerability in Microsoft Malware Protection Engine (MsMpEng) by triggering a GC during a callback where it should be disabled. The PoC uses a crafted JavaScript object with overridden toString and valueOf methods to force a GC via eval, leading to a use-after-free condition.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Malware Protection Engine (MsMpEng) versions prior to the fix for CVE-2017-8540

No auth needed

Prerequisites: Target system must have MsMpEng running with the vulnerable version

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-8540

Mitigation, Patch, Vendor Advisory x_refsource_confirm

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8540

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/98703

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/42088/

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1038571

Scores

CVSS v3 7.8

EPSS 0.7196

EPSS Percentile 99.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-03-03

VulnCheck KEV 2022-03-03

InTheWild.io 2022-03-03

ENISA EUVD EUVD-2017-17490

CWE

CWE-787

Status published

Products (12)

microsoft/endpoint_protection

microsoft/exchange_server 2013

microsoft/exchange_server 2016

microsoft/forefront_endpoint_protection

microsoft/forefront_endpoint_protection 2010

microsoft/forefront_security

microsoft/intune_endpoint_protection

microsoft/malware_protection_engine 1.1.13701.0 - 1.1.13704.0

microsoft/security_essentials

microsoft/system_center_endpoint_protection

... and 2 more

Published May 26, 2017

KEV Added Mar 03, 2022

Tracked Since Feb 18, 2026