Cyber Resilience

CVE-2012-0158

HighCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 10 April 2012

Published
10 April 2012
Modified
22 April 2026
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9431 100.0th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2012-0158 is a high-severity Code Injection (CWE-94) vulnerability in Microsoft Office. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-3 (Malicious Code Protection).

Deeper analysis

The vulnerability is a remote code execution flaw, identified as CWE-94, in the ListView, ListView2, TreeView, and TreeView2 ActiveX controls within MSCOMCTL.OCX from the Microsoft Common Controls library. It affects a wide range of products including Microsoft Office 2003 SP3, 2007 SP2/SP3, and 2010 Gold/SP1 along with Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2/SP3/R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold/R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and the Visual Basic 6.0 Runtime. The flaw stems from improper handling of crafted input that corrupts system state.

Remote attackers can exploit the issue by delivering a malicious web site, Office document, or RTF file to a target system. Successful exploitation grants the ability to execute arbitrary code with the privileges of the current user, enabling full compromise of affected applications and underlying data.

The issue was exploited in the wild as of April 2012. Public references such as SecurityFocus BID 52911 and multiple SecurityTracker entries (1026899, 1026900, 1026902) along with related analyses document the vulnerability and its observed use in targeted attacks.

EU & UK References

Vulnerability details

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000…

more

SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
office
2003, 2007, 2010
microsoft
office web components
2003
microsoft
sql server 2000
all versions
microsoft
sql server 2005
all versions
microsoft
sql server 2008
all versions, r2
microsoft
biztalk server
2002
microsoft
commerce server
2002, 2007
microsoft
commerce server 2009
all versions, r2
microsoft
visual basic
6.0
microsoft
visual foxpro
8.0, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Restricts or disables use of ActiveX mobile code (MSCOMCTL.OCX controls) that can be invoked by crafted documents or web content to achieve RCE.

preventdetect

Deploys malicious-code protection mechanisms that detect and block the crafted Office/RTF/web payloads exploiting the ListView/TreeView ActiveX flaw.

prevent

Disables or removes the unnecessary MSCOMCTL.OCX ActiveX components, reducing the attack surface for the documented RCE vector.

References