Cyber Resilience

CVE-2013-7331

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 26 February 2014

Published
26 February 2014
Modified
22 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
EPSS Score 0.8181 99.2th percentile
Risk Priority 82 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-7331 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and CM-7 (Least Functionality).

Deeper analysis

The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier versions is vulnerable to information disclosure tracked as CVE-2013-7331 and CWE-209. Remote attackers can supply specially crafted res:// URLs that trigger distinguishable error codes, revealing the existence or non-existence of local filesystem paths, UNC share paths, intranet hostnames, and intranet IP addresses without requiring authentication.

An attacker can embed such URLs in web content delivered to a victim browser, then inspect the resulting error responses to map internal resources on the target system or network. This enables reconnaissance that supports further targeted attacks, such as identifying files for subsequent exploitation or confirming the presence of specific intranet hosts.

Microsoft addressed the issue in security bulletin MS14-052, while additional details and indicators appear in CERT VU#539289 and related vendor advisories. The vulnerability was exploited in the wild in February 2014 during Operation Snowman, which compromised the US Veterans of Foreign Wars website to deliver DeputyDog malware.

EU & UK References

Vulnerability details

The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes, as demonstrated by a res:// URL, and…

more

exploited in the wild in February 2014.

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 11, 6, 7, 8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires error messages to avoid revealing sensitive information (local paths, UNC shares, intranet hosts) that this CVE exploits via distinguishable res:// error codes.

SC-18 Mobile Code partial match
prevent

Establishes usage restrictions and implementation guidance for mobile code technologies such as the vulnerable Microsoft.XMLDOM ActiveX control.

prevent

Enforces least functionality by disabling or restricting unnecessary ActiveX controls and features that enable the information-disclosure vector.

References