CVE-2017-8625

HIGH

Internet Explorer - Security Feature Bypass via UMCI Policy Validation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-8625. PoCs published by homjxi0e.

AI-analyzed exploit summary This PoC demonstrates a bypass for User Mode Code Integrity (UMCI) in Windows Defender Device Guard by leveraging JScript in Internet Explorer to execute arbitrary commands via an ActiveXObject. The exploit uses a simple HTML file to trigger the execution of a batch file (empire.bat).

Description

Internet Explorer in Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an attacker to bypass Device Guard User Mode Code Integrity (UMCI) policies due to Internet Explorer failing to validate UMCI policies, aka "Internet Explorer Security Feature Bypass Vulnerability".

Exploits (1)

nomisec WORKING POC 1 stars
by homjxi0e · poc
https://github.com/homjxi0e/CVE-2017-8625_Bypass_UMCI

This PoC demonstrates a bypass for User Mode Code Integrity (UMCI) in Windows Defender Device Guard by leveraging JScript in Internet Explorer to execute arbitrary commands via an ActiveXObject. The exploit uses a simple HTML file to trigger the execution of a batch file (empire.bat).

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Windows Defender Device Guard (UMCI) on Windows 10/Server with Internet Explorer
No auth needed
Prerequisites: Internet Explorer must be present on the target system · User must open the malicious HTML file via Internet Explorer
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 8.8
EPSS 0.1526
EPSS Percentile 96.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-276
Status published
Products (2)
microsoft/internet_explorer 11
Microsoft Corporation/Internet Explorer Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016.
Published Aug 08, 2017
Tracked Since Feb 18, 2026