Cyber Resilience

CVE-2016-0162

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 12 April 2016

Published
12 April 2016
Modified
21 April 2026
KEV Added
24 May 2022
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
EPSS Score 0.4366 97.6th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-0162 is a medium-severity an unspecified weakness vulnerability in Microsoft Internet Explorer. Its CVSS base score is 4.3 (Medium).

Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AU-13 (Monitoring for Information Disclosure).

Deeper analysis

Microsoft Internet Explorer versions 9 through 11 are affected by an information disclosure vulnerability that permits remote attackers to determine the existence of files on a target system through the use of specially crafted JavaScript code. The issue is tracked as CVE-2016-0162 with a CVSS v3 base score of 4.3 and is described by Microsoft as the "Internet Explorer Information Disclosure Vulnerability."

An unauthenticated remote attacker can exploit the flaw when a user visits a malicious or compromised website containing the crafted script. Successful exploitation reveals limited information about file presence without requiring user interaction beyond normal browsing, though it does not allow direct code execution or modification of data.

Microsoft security bulletin MS16-037 addresses the vulnerability and supplies the corresponding security updates for affected versions of Internet Explorer. The bulletin outlines patch installation as the primary mitigation step along with standard guidance on applying updates promptly.

EU & UK References

Vulnerability details

Microsoft Internet Explorer 9 through 11 allows remote attackers to determine the existence of files via crafted JavaScript code, aka "Internet Explorer Information Disclosure Vulnerability."

CWE(s)
KEV Date Added
24 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 11, 9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor security update that eliminates the IE information-disclosure flaw.

SC-18 Mobile Code partial match
prevent

Restricts or authorizes mobile code (JavaScript) that the attacker uses to probe for file existence.

detect

Monitors for anomalous information disclosure that would result from successful exploitation of the crafted script.

References