Cyber Resilience

CVE-2015-0071

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 11 February 2015

Published
11 February 2015
Modified
22 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score 0.3422 97.1th percentile
Risk Priority 54 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-0071 is a medium-severity an unspecified weakness vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 2.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SC-39 (Process Isolation).

Deeper analysis

Microsoft Internet Explorer versions 9 through 11 contain an ASLR bypass vulnerability that permits remote attackers to circumvent address space layout randomization protections when a user visits a specially crafted website. The flaw is tracked as CVE-2015-0071 and carries a CVSS 3.1 score of 6.5, reflecting network attack vector, low complexity, no required privileges, and user interaction.

An attacker can deliver the exploit through a malicious web page that the victim is induced to load in a vulnerable IE instance. Successful exploitation disables ASLR for the browser process, thereby simplifying follow-on memory corruption attacks that aim to achieve arbitrary code execution or other integrity impacts without altering confidentiality or availability directly.

Microsoft addressed the issue in security bulletin MS15-009, with additional details available from sources such as SecurityFocus bid 72455 and SecurityTracker ID 1031723. No information on observed in-the-wild exploitation is provided in the available references.

EU & UK References

Vulnerability details

Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Internet Explorer ASLR Bypass Vulnerability."

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 11, 9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires memory protection mechanisms such as ASLR that the CVE bypasses in IE.

prevent

Mandates separate execution domains for processes, which ASLR supports and the vulnerability undermines.

prevent

Requires timely remediation of the identified IE flaw (MS15-009) to eliminate the ASLR bypass.

References