Cyber Resilience

CVE-2017-0022

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 17 March 2017

Published
17 March 2017
Modified
22 April 2026
KEV Added
24 May 2022
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.3669 97.2th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-0022 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 2.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

Microsoft XML Core Services (MSXML) in Windows 10 Gold, 1511, and 1607; Windows 7 SP1; Windows 8.1; Windows RT 8.1; Windows Server 2008 SP2 and R2 SP1; Windows Server 2012 Gold and R2; Windows Server 2016; and Windows Vista SP2 contains an information disclosure vulnerability. The component improperly handles objects in memory, which can be leveraged to reveal the presence of arbitrary files on disk. The issue is tracked as CWE-119 with a CVSS 3.1 base score of 6.5 reflecting network attack vector, low complexity, and high confidentiality impact.

An unauthenticated remote attacker can exploit the flaw by convincing a user to visit a specially crafted web site under the attacker's control. Successful exploitation allows the attacker to test for the existence of files on the victim's local disk without requiring additional privileges or user interaction beyond visiting the page, resulting in targeted information disclosure.

The Microsoft Security Response Center advisory for CVE-2017-0022 provides official guidance on available patches and mitigations for the listed Windows versions. A related security blog post documents the vulnerability's incorporation into exploit kit activity, confirming real-world use for file-existence probing in the wild.

EU & UK References

Vulnerability details

Microsoft XML Core Services (MSXML) in Windows 10 Gold, 1511, and 1607; Windows 7 SP1; Windows 8.1; Windows RT 8.1; Windows Server 2008 SP2 and R2 SP1; Windows Server 2012 Gold and R2; Windows Server 2016; and Windows Vista SP2…

more

improperly handles objects in memory, allowing attackers to test for files on disk via a crafted web site, aka "Microsoft XML Information Disclosure Vulnerability."

CWE(s)
KEV Date Added
24 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
xml core services
3.0
microsoft
windows 8.1
all versions
microsoft
windows server 2008
r2
microsoft
windows server 2012
all versions, r2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patches Microsoft released for CVE-2017-0022, eliminating the MSXML memory-handling flaw before exploitation.

SC-18 Mobile Code partial match
prevent

Restricts or disables mobile code (scripts/active content) delivered by untrusted web sites, blocking the crafted-page vector used to trigger the MSXML information disclosure.

preventdetect

Deploys malicious-code protection mechanisms that can inspect or sandbox web content attempting to abuse the MSXML file-existence probe.

References