Cyber Resilience

CVE-2008-0015

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 07 July 2009

Published
07 July 2009
Modified
21 April 2026
KEV Added
17 February 2026
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8158 99.2th percentile
Risk Priority 87 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2008-0015 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Microsoft Windows 2003 Server. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a stack-based buffer overflow in the CComVariant::ReadFromStream function within the Active Template Library (ATL), specifically affecting the MPEG2TuneRequest ActiveX control implemented in msvidctl.dll as part of DirectShow. It impacts multiple Microsoft Windows releases, including 2000 SP4, XP SP2/SP3, Server 2003 SP2, Vista Gold/SP1/SP2, and Server 2008 Gold/SP2. The flaw is tracked under CWE-119 and CWE-121 with a CVSS 3.1 score of 8.8.

Remote attackers can exploit the issue by serving a crafted web page that triggers the overflow when the ActiveX control processes the input stream, resulting in arbitrary code execution on the target system. No authentication is required, and the attack vector is network-based with user interaction via a browser.

Public references, including Microsoft Security Research and Defense blog posts and Secunia advisory 36187, address related patches such as those issued under MS09-037 and note reuse of CVE identifiers from prior ATL fixes. Additional sources such as SANS ISC and OSVDB entries document the issue and link to vendor guidance.

The vulnerability was exploited in the wild in July 2009, shortly after public disclosure.

EU & UK References

Vulnerability details

Stack-based buffer overflow in the CComVariant::ReadFromStream function in the Active Template Library (ATL), as used in the MPEG2TuneRequest ActiveX control in msvidctl.dll in DirectShow, in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and…

more

SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted web page, as exploited in the wild in July 2009, aka "Microsoft Video ActiveX Control Vulnerability."

CWE(s)
KEV Date Added
17 February 2026

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 2003 server
all versions
microsoft
windows xp
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches (e.g., MS09-037) that eliminate the ATL buffer-overflow flaw before exploitation.

prevent

Restricts or disables execution of untrusted mobile code such as the vulnerable MPEG2TuneRequest ActiveX control delivered via web pages.

prevent

Enforces least functionality by disabling or blocking unnecessary ActiveX controls and DLLs (msvidctl.dll) that are not required for business operations.

References