← back
CVE-2016-0189

CVE-2016-0189

CVSS 7.5 HIGHEPSS 93.2%● KEVCWE-787
Vexday Risk Score
100Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 7.5EPSS 93.2%KEV simPoC públicaNuclei Metasploit simPatch referenciado
Lifecycle
10 May 2016Metasploit module available
11 May 2016Published on NVD
22 Jun 2016Public PoC
28 Mar 2022Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

A flaw in Microsoft's JScript and VBScript engines used by Internet Explorer allows attackers to run malicious code or crash the browser by visiting a specially designed website.

Technical detail

Out-of-bounds write vulnerability (CWE-787) in JScript 5.8 and VBScript 5.7/5.8 engines used in Internet Explorer 9-11. Remote attacker delivers crafted HTML/script via web page; no authentication required. Results in arbitrary code execution or denial of service through memory corruption.

Summary generated and translated by AI from the official description.
The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0187.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found4
githubgithub.com/theori-io/cve-2016-0189114githubgithub.com/deamwork/MS16-051-poc3exploitdbwww.exploit-db.com/exploits/40118unverifiedcve_referencewww.exploit-db.com/exploits/40118/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-051https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-053https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0189https://www.exploit-db.com/exploits/40118/https://www.virusbulletin.com/virusbulletin/2017/01/journey-and-evolution-god-mode-2016-cve-2016-0189/http://www.securityfocus.com/bid/90012http://www.securitytracker.com/id/1035820