CVE-2019-0752

HIGH KEV RANSOMWARE

Internet Explorer - Memory Corruption

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-0752 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 15, 2022, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including Simon Zuckerbraun, edxsh.

AI-analyzed exploit summary This exploit leverages a memory corruption vulnerability in Internet Explorer's scripting engine to achieve arbitrary write primitives, ultimately leading to remote code execution via PowerShell. It uses CVE-2019-0768 to bypass mitigations and execute VBScript on Windows 10 1809.

Description

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0739, CVE-2019-0753, CVE-2019-0862.

Exploits (3)

exploitdb WORKING POC
by Simon Zuckerbraun · htmlremotewindows
https://www.exploit-db.com/exploits/46928

This exploit leverages a memory corruption vulnerability in Internet Explorer's scripting engine to achieve arbitrary write primitives, ultimately leading to remote code execution via PowerShell. It uses CVE-2019-0768 to bypass mitigations and execute VBScript on Windows 10 1809.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Internet Explorer on Windows 10 1809 (17763.316)
No auth needed
Prerequisites: Target must be running Internet Explorer on Windows 10 1809 with February 2019 patch level or earlier
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by edxsh · client-side
https://github.com/edxsh/CVE-2019-0752

This PoC exploits CVE-2019-0752, a write-what-where vulnerability in Internet Explorer 11, allowing RCE without native code execution. It dynamically creates DOM elements via JavaScript to bypass static HTML and avoids PowerShell usage through address manipulation.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Internet Explorer 11 32bit on Windows 10 x64 (up to RS4, RS5)
No auth needed
Prerequisites: Target must be using Internet Explorer 11 32bit on Windows 10 x64 (up to RS4, RS5) · Victim must visit a malicious webpage or open a crafted HTML file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
inthewild WRITEUP
poc
https://github.com/zwcreatephoton/cve-2019-0752

The repository provides a technical summary and reference to a blog post detailing the exploitation of CVE-2019-0752, a write-what-where vulnerability in Internet Explorer 11. It describes the use of JavaScript to dynamically create DOM elements and avoid static HTML, targeting Windows 10 systems up to RS4/RS5.

Classification
Writeup 80%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Internet Explorer 11 32bit on Windows 10 x64 up to RS4, RS5
No auth needed
Prerequisites: Internet Explorer 11 32bit on Windows 10 x64 up to RS4, RS5
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 7.5
EPSS 0.9148
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-02-15
VulnCheck KEV 2021-05-20
InTheWild.io 2022-02-15
ENISA EUVD EUVD-2019-1511
Ransomware Use Confirmed
CWE
CWE-843
Status published
Products (2)
microsoft/internet_explorer 11
microsoft/internet_explorer 10
Published Apr 09, 2019
KEV Added Feb 15, 2022
Tracked Since Feb 18, 2026