CVE-2007-0940
CVE-2007-0940 is a critical-severity vulnerability in Microsoft Biztalk Server with a CVSS 2.0 base score of 9.3. Its EPSS exploit-prediction score of 76% places it in the 99th percentile, indicating an elevated likelihood of exploitation.
Key facts
- Severity: Critical (CVSS 2.0 base score 9.3)
- EPSS exploit prediction: 76% (99th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Microsoft Biztalk Server
- Published:
- Last modified:
Description
Unspecified vulnerability in the Cryptographic API Component Object Model Certificates ActiveX control (CAPICOM.dll) in Microsoft CAPICOM and BizTalk Server 2004 SP1 and SP2 allows remote attackers to execute arbitrary code via unspecified vectors, aka the "CAPICOM.Certificates Vulnerability."
Frequently asked questions
- What is CVE-2007-0940?
- Unspecified vulnerability in the Cryptographic API Component Object Model Certificates ActiveX control (CAPICOM.dll) in Microsoft CAPICOM and BizTalk Server 2004 SP1 and SP2 allows remote attackers to execute arbitrary code via unspecified vectors, aka the "CAPICOM.Certificates Vulnerability."
- How severe is CVE-2007-0940?
- CVE-2007-0940 has a CVSS 2.0 base score of 9.3, rated critical severity.
- Is CVE-2007-0940 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 76% (99th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2007-0940?
- CVE-2007-0940 primarily affects Microsoft Biztalk Server. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2007-0940?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2007-0940 published?
- CVE-2007-0940 was published on 2007-05-08 and last updated on 2026-06-16.
References
- http://secunia.com/advisories/25185
- http://www.kb.cert.org/vuls/id/866305
- http://www.osvdb.org/34397
- http://www.securityfocus.com/archive/1/468871/100/200/threaded
- http://www.securityfocus.com/bid/23782
- http://www.securitytracker.com/id?1018016
- http://www.securitytracker.com/id?1018017
- http://www.us-cert.gov/cas/techalerts/TA07-128A.html
- http://www.vupen.com/english/advisories/2007/1713
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-028
- https://exchange.xforce.ibmcloud.com/vulnerabilities/32739
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1670
Affected products (3)
- cpe:2.3:a:microsoft:biztalk_server:2004:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:biztalk_server:2004:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:capicom:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Biztalk Server
- CVE-2009-2496 — Critical (CVSS 9.3): Heap-based buffer overflow in the Office Web Components ActiveX Control in Microsoft Office XP SP3, Office 2003 SP3,…
- CVE-2007-1201 — Critical (CVSS 9.3): Unspecified vulnerability in certain COM objects in Microsoft Office Web Components 2000 allows user-assisted remote…
- CVE-2012-0158 — High (CVSS 8.8): The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common…
- CVE-2003-0118 — High (CVSS 7.5): SQL injection vulnerability in the Document Tracking and Administration (DTA) website of Microsoft BizTalk Server 2000…
- CVE-2003-0117 — High (CVSS 7.5): Buffer overflow in the HTTP receiver function (BizTalkHTTPReceive.dll ISAPI) of Microsoft BizTalk Server 2002 allows…
- CVE-2015-2475 — Medium (CVSS 4.3): Cross-site scripting (XSS) vulnerability in uddi/search/frames.aspx in the UDDI Services component in Microsoft Windows…