Cyber Resilience

CVE-2017-8464

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 15 June 2017

Published
15 June 2017
Modified
22 April 2026
KEV Added
10 February 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9388 99.9th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-8464 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Deeper analysis

The vulnerability CVE-2017-8464 resides in the Windows Shell component of Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold/1511/1607/1703, and Windows Server 2016. It is triggered when a crafted .LNK shortcut file is parsed for icon display inside Windows Explorer or any other application that processes shortcut icons, resulting in arbitrary code execution.

An attacker can exploit the flaw either locally or remotely by supplying a malicious .LNK file that is rendered by the victim; successful exploitation grants code execution at the privileges of the user viewing the file. The issue carries a CVSS 3.1 base score of 8.8 with network attack vector, low complexity, and no required privileges or user interaction beyond rendering the icon.

Microsoft published an advisory for CVE-2017-8464 on its security guidance portal, and public proof-of-concept code has been posted to Exploit Database.

EU & UK References

Vulnerability details

Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows local users…

more

or remote attackers to execute arbitrary code via a crafted .LNK file, which is not properly handled during icon display in Windows Explorer or any other application that parses the icon of the shortcut. aka "LNK Remote Code Execution Vulnerability."

CWE(s)
KEV Date Added
10 February 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1511
all versions
microsoft
windows 10 1607
all versions
microsoft
windows 10 1703
all versions
microsoft
windows 7
all versions
microsoft
windows 8.1
all versions
microsoft
windows rt 8.1
all versions
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch that eliminates the LNK icon-parsing flaw before exploitation can occur.

prevent

Requires malicious-code protection mechanisms that scan or sandbox .LNK files before Windows Explorer renders their icons.

detect

Requires integrity verification of files and executables, enabling detection of unauthorized or crafted .LNK shortcut content.

References