CVE-2017-8558

HIGH

Microsoft Malware Protection Engine - Remote Code Execution via Crafted File Scan

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-8558. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit demonstrates a heap corruption vulnerability in Microsoft's Malware Protection Engine (MsMpEng) via the exposed 'apicall' instruction. The PoC leverages the VFS_Write API to corrupt a MutableByteStream object, leading to arbitrary memory read/write primitives.

Description

The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on 32-bit versions of Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703 does not properly scan a specially crafted file leading to memory corruption. aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability".

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · textdoswindows

https://www.exploit-db.com/exploits/42264

View Code ZIP pw:eip

This exploit demonstrates a heap corruption vulnerability in Microsoft's Malware Protection Engine (MsMpEng) via the exposed 'apicall' instruction. The PoC leverages the VFS_Write API to corrupt a MutableByteStream object, leading to arbitrary memory read/write primitives.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Malware Protection Engine (MsMpEng) on Windows

No auth needed

Prerequisites: Access to a system with Microsoft Malware Protection Engine enabled

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/99262

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/42264/

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1038783

Vendor Advisory x_refsource_confirm

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8558

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1038784

Scores

CVSS v3 7.8

EPSS 0.4359

EPSS Percentile 98.6%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-119

Status published

Products (7)

microsoft/endpoint_protection

microsoft/forefront_endpoint_protection

microsoft/forefront_endpoint_protection 2010

microsoft/security_essentials

microsoft/windows_defender

microsoft/windows_intune_endpoint_protection

Microsoft Corporation/Microsoft Malware Protection Engine 32-bit versions only of Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008

Published Jun 29, 2017

Tracked Since Feb 18, 2026