CVE-2018-0824

HIGH KEV

Microsoft Windows 10 1507 - Insecure Deserialization

Title source: rule

Description

A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM for Windows Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

Exploits (2)

nomisec WORKING POC 88 stars

by codewhitesec · local

https://github.com/codewhitesec/UnmarshalPwn

View Code ZIP pw:eip

exploitdb WRITEUP

by Code White · textlocalwindows

https://www.exploit-db.com/exploits/44906

View Code ZIP pw:eip

References (5)

[Broken Link, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/104030

[Broken Link, Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1040848

[Patch, Vendor Advisory] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0824

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/44906/

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-0824

Scores

CVSS v3 8.8

EPSS 0.9152

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitation Intel

CISA KEV 2024-08-05

VulnCheck KEV 2024-08-01

InTheWild.io 2024-08-05

ENISA EUVD EUVD-2018-1629

Classification

CWE

CWE-502

Status published

Affected Products (16)

microsoft/windows_10_1507

microsoft/windows_10_1607

microsoft/windows_10_1703

microsoft/windows_10_1709

microsoft/windows_10_1803

microsoft/windows_7

microsoft/windows_8.1

microsoft/windows_rt_8.1

microsoft/windows_server_1709

microsoft/windows_server_1803

microsoft/windows_server_2008

microsoft/windows_server_2008

microsoft/windows_server_2008

microsoft/windows_server_2012

microsoft/windows_server_2012

... and 1 more

Timeline

Published May 09, 2018

KEV Added Aug 05, 2024

Tracked Since Feb 18, 2026