Cyber Resilience

CVE-2017-8540

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 26 May 2017

Published
26 May 2017
Modified
22 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.7943 99.1th percentile
Risk Priority 83 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-8540 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Deeper analysis

The vulnerability is a remote code execution flaw, tracked as CVE-2017-8540, in the Microsoft Malware Protection Engine used by Microsoft Forefront, Microsoft Defender, and related products. It affects Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, multiple Windows 10 releases through 1703, Windows Server 2016, and Microsoft Exchange Server 2013 and 2016. The root cause is improper handling of a specially crafted file during scanning, which produces memory corruption classified under CWE-787.

An attacker can exploit the issue by supplying a malicious file that the engine processes on the target system. Successful exploitation grants arbitrary code execution with the privileges of the scanning process; the CVSS vector indicates local attack vector, low complexity, no authentication required, and user interaction needed, resulting in full confidentiality, integrity, and availability impact.

Publicly available references, including the Microsoft Security Response Center advisory and an entry on Exploit-DB, indicate that updates addressing the flaw have been released, and at least one working exploit has been published.

EU & UK References

Vulnerability details

The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607,…

more

and 1703, and Windows Server 2016, Microsoft Exchange Server 2013 and 2016, does not properly scan a specially crafted file leading to memory corruption. aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability", a different vulnerability than CVE-2017-8538 and CVE-2017-8541.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
malware protection engine
1.1.13701.0 — 1.1.13704.0
microsoft
endpoint protection
all versions
microsoft
exchange server
2013, 2016
microsoft
forefront endpoint protection
2010, all versions
microsoft
forefront security
all versions
microsoft
intune endpoint protection
all versions
microsoft
security essentials
all versions
microsoft
system center endpoint protection
all versions
microsoft
windows defender
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patches released to correct the memory-corruption flaw in the Malware Protection Engine.

prevent

Implements memory-protection mechanisms that can block the out-of-bounds write (CWE-787) exploited by the crafted file.

prevent

Requires the malicious-code protection capability whose failure is the root cause; proper configuration and updates of the engine itself reduce exposure.

References