Cyber Resilience

CVE-2013-0074

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 13 March 2013

Published
13 March 2013
Modified
22 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9369 99.9th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-0074 is a high-severity an unspecified weakness vulnerability in Microsoft Silverlight. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

Microsoft Silverlight 5 and the Silverlight 5 Developer Runtime, prior to version 5.1.20125.0, contain a double dereference vulnerability stemming from improper pointer validation during HTML object rendering. The flaw is tracked as CVE-2013-0074 and carries a CVSS 3.1 base score of 7.8.

Remote attackers can exploit the issue by serving a crafted Silverlight application that triggers the pointer mishandling when rendered in a browser. Successful exploitation grants arbitrary code execution with the privileges of the current user, requiring only that the victim open or view the malicious content.

Microsoft security bulletin MS13-022 and the associated US-CERT alert TA13-071A direct administrators to install the vendor-supplied update that advances Silverlight to 5.1.20125.0 or later; the bulletin also lists detection logic published in OVAL definitions for enterprise scanning. No additional real-world exploitation details are provided in the source references.

EU & UK References

Vulnerability details

Microsoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0 does not properly validate pointers during HTML object rendering, which allows remote attackers to execute arbitrary code via a crafted Silverlight application, aka "Silverlight Double Dereference Vulnerability."

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
silverlight
5.0 — 5.1.20125.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch that upgrades Silverlight to 5.1.20125.0 and eliminates the double-dereference flaw.

SC-18 Mobile Code partial match
prevent

Requires policy, technical controls, and monitoring over mobile code (Silverlight) to block execution of untrusted or crafted applications.

prevent

Enforces least functionality by disabling or restricting Silverlight where it is not explicitly required, eliminating the attack surface.

References