CVE-2013-0074

CVE-2013-0074 is a high-severity vulnerability in Microsoft Silverlight with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-05-25).

Key facts

Description

Microsoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0 does not properly validate pointers during HTML object rendering, which allows remote attackers to execute arbitrary code via a crafted Silverlight application, aka "Silverlight Double Dereference Vulnerability."

CVE-2013-0074: Microsoft Silverlight Double Dereference Vulnerability

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2013-0074
Vendor Microsoft
Product Silverlight 5, Silverlight 5 Developer Runtime
CVSS v2 9.3 (Critical) — AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS v3.1 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS 81.87% (99.6th percentile)
KEV Yes — added 2022-05-25
EU Exploited Yes — since 2022-05-25

Summary

A pointer-validation flaw in Microsoft Silverlight 5's HTML object rendering path enables remote attackers to execute arbitrary code by tricking a user into running a malicious Silverlight application.

Background

Microsoft Silverlight was a browser plug-in for running rich internet applications. Although Microsoft ended support for Silverlight in October 2021, legacy deployments remain in some enterprise environments, making historic vulnerabilities relevant for residual-risk assessments and forensic reviews.

Root cause

The vulnerability stems from improper pointer validation during HTML object rendering in Silverlight 5. Specifically, a double-dereference condition can occur when the runtime processes certain HTML objects, leading to memory corruption. The exact CWE identifier was not specified in the source data.

Impact

  • Confidentiality: Complete compromise (CVSS v2 C:C / v3.1 C:H)
  • Integrity: Complete compromise (CVSS v2 I:C / v3.1 I:H)
  • Availability: Complete compromise (CVSS v2 A:C / v3.1 A:H)
  • Exploitability: Network-accessible (v2) or local (v3.1) with user interaction required; no authentication needed

The 9.3 CVSS v2 score reflects a network vector with medium attack complexity, while the 7.8 CVSS v3.1 score accounts for the local attack vector and required user interaction.

Exploitation walkthrough

Ethics caveat: This section describes the attack concept at a defensive level only. No weaponized exploit code is provided.

An attacker typically delivers a crafted Silverlight application embedded in a malicious web page or document. When a victim with a vulnerable Silverlight runtime visits the page or opens the document, the malformed HTML object triggers the double-dereference flaw. The corruption allows the attacker to divert execution flow and run arbitrary native code within the context of the current user. Successful exploitation has been observed in the wild; both CISA KEV and EUVD flagged this CVE as actively exploited.

Affected and patched versions

Status Version
Affected Microsoft Silverlight 5 before 5.1.20125.0
Affected Microsoft Silverlight 5 Developer Runtime before 5.1.20125.0
Patched Microsoft Silverlight 5.1.20125.0 and later

Remediation

  1. Upgrade: Install Silverlight 5.1.20125.0 or a later supported version.
  2. Compensating controls: If Silverlight cannot be updated or is no longer required, remove or disable the plug-in across all browsers. Microsoft ended Silverlight support in October 2021; migration to modern web technologies is strongly recommended.
  3. Network segmentation: Restrict access for legacy Silverlight-dependent applications to isolated network segments.
  4. User awareness: Train users to avoid untrusted documents and websites that may host Silverlight content.

Detection

  • Monitor for execution of sllauncher.exe or browser processes loading Silverlight assemblies from unusual paths.
  • Inspect network traffic for XAP file downloads from untrusted domains.
  • Correlate endpoint telemetry with the CISA Known Exploited Vulnerabilities catalog and EUVD entries for CVE-2013-0074.

Assessment

With an EPSS probability of ~82% and placement in the 99.6th percentile, this CVE carries an exceptionally high likelihood of exploitation. Its inclusion in both the CISA KEV catalog and the EUVD exploited-vulnerabilities list confirms real-world active use. The primary lesson is that plug-in technologies with deep OS integration create long-tail risk: even after vendor support ends, unpatched instances in enterprise environments remain attractive targets. Organizations should treat Silverlight as a legacy attack surface and prioritize removal over continued patching.

References

Frequently asked questions

What is CVE-2013-0074?
Microsoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0 does not properly validate pointers during HTML object rendering, which allows remote attackers to execute arbitrary code via a crafted Silverlight application, aka "Silverlight Double Dereference Vulnerability."
How severe is CVE-2013-0074?
CVE-2013-0074 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2013-0074 being actively exploited?
Yes. CVE-2013-0074 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-05-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2013-0074?
CVE-2013-0074 affects Microsoft Silverlight. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2013-0074?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2013-0074 have an EU (EUVD) identifier?
Yes. CVE-2013-0074 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2013-0117. It is also flagged as exploited in the EUVD (since 2022-05-25).
When was CVE-2013-0074 published?
CVE-2013-0074 was published on 2013-03-13 and last updated on 2026-06-16.

References

Affected products (1)

More vulnerabilities in Microsoft Silverlight

All CVEs affecting Microsoft Silverlight →