Cyber Resilience

CVE-2018-8174

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 09 May 2018

Published
09 May 2018
Modified
28 October 2025
KEV Added
15 February 2022
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9428 99.9th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-8174 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2018-8174 is a remote code execution vulnerability in the Windows VBScript engine caused by improper handling of objects in memory, classified under CWE-787 as an out-of-bounds write. It affects Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.

An unauthenticated attacker can trigger the flaw over a network with no privileges required, although exploitation requires user interaction and presents high attack complexity. Successful exploitation yields full control over the target system, enabling arbitrary code execution with high impact to confidentiality, integrity, and availability.

Microsoft published an advisory detailing the issue and available updates, while a micropatch approach has also been demonstrated for certain deployments. Public exploit code for the vulnerability is available.

EU & UK References

Vulnerability details

A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows…

more

Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

CWE(s)
KEV Date Added
15 February 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1607
all versions
microsoft
windows 10 1703
all versions
microsoft
windows 10 1709
all versions
microsoft
windows 10 1803
all versions
microsoft
windows 7
all versions
microsoft
windows 8.1
all versions
microsoft
windows rt 8.1
all versions
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
microsoft
windows server 2016
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch that eliminates the out-of-bounds write flaw in the VBScript engine.

prevent

Allows disabling or uninstalling the VBScript engine (or restricting its use) so the vulnerable component cannot be invoked.

SC-18 Mobile Code partial match
prevent

Establishes usage restrictions and technical controls on mobile code such as VBScript executed by the browser or Office.

References