CVE-2013-0074
CVE-2013-0074 is a high-severity vulnerability in Microsoft Silverlight with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-05-25).
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- CVSS v2: 9.3
- EPSS exploit prediction: 82% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-05-25)
- EU (EUVD) id: EUVD-2013-0117
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-05-25)
- Affected product: Microsoft Silverlight
- Published:
- Last modified:
Description
Microsoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0 does not properly validate pointers during HTML object rendering, which allows remote attackers to execute arbitrary code via a crafted Silverlight application, aka "Silverlight Double Dereference Vulnerability."
CVE-2013-0074: Microsoft Silverlight Double Dereference Vulnerability
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2013-0074 |
| Vendor | Microsoft |
| Product | Silverlight 5, Silverlight 5 Developer Runtime |
| CVSS v2 | 9.3 (Critical) — AV:N/AC:M/Au:N/C:C/I:C/A:C |
| CVSS v3.1 | 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| EPSS | 81.87% (99.6th percentile) |
| KEV | Yes — added 2022-05-25 |
| EU Exploited | Yes — since 2022-05-25 |
Summary
A pointer-validation flaw in Microsoft Silverlight 5's HTML object rendering path enables remote attackers to execute arbitrary code by tricking a user into running a malicious Silverlight application.
Background
Microsoft Silverlight was a browser plug-in for running rich internet applications. Although Microsoft ended support for Silverlight in October 2021, legacy deployments remain in some enterprise environments, making historic vulnerabilities relevant for residual-risk assessments and forensic reviews.
Root cause
The vulnerability stems from improper pointer validation during HTML object rendering in Silverlight 5. Specifically, a double-dereference condition can occur when the runtime processes certain HTML objects, leading to memory corruption. The exact CWE identifier was not specified in the source data.
Impact
- Confidentiality: Complete compromise (CVSS v2 C:C / v3.1 C:H)
- Integrity: Complete compromise (CVSS v2 I:C / v3.1 I:H)
- Availability: Complete compromise (CVSS v2 A:C / v3.1 A:H)
- Exploitability: Network-accessible (v2) or local (v3.1) with user interaction required; no authentication needed
The 9.3 CVSS v2 score reflects a network vector with medium attack complexity, while the 7.8 CVSS v3.1 score accounts for the local attack vector and required user interaction.
Exploitation walkthrough
Ethics caveat: This section describes the attack concept at a defensive level only. No weaponized exploit code is provided.
An attacker typically delivers a crafted Silverlight application embedded in a malicious web page or document. When a victim with a vulnerable Silverlight runtime visits the page or opens the document, the malformed HTML object triggers the double-dereference flaw. The corruption allows the attacker to divert execution flow and run arbitrary native code within the context of the current user. Successful exploitation has been observed in the wild; both CISA KEV and EUVD flagged this CVE as actively exploited.
Affected and patched versions
| Status | Version |
|---|---|
| Affected | Microsoft Silverlight 5 before 5.1.20125.0 |
| Affected | Microsoft Silverlight 5 Developer Runtime before 5.1.20125.0 |
| Patched | Microsoft Silverlight 5.1.20125.0 and later |
Remediation
- Upgrade: Install Silverlight 5.1.20125.0 or a later supported version.
- Compensating controls: If Silverlight cannot be updated or is no longer required, remove or disable the plug-in across all browsers. Microsoft ended Silverlight support in October 2021; migration to modern web technologies is strongly recommended.
- Network segmentation: Restrict access for legacy Silverlight-dependent applications to isolated network segments.
- User awareness: Train users to avoid untrusted documents and websites that may host Silverlight content.
Detection
- Monitor for execution of
sllauncher.exeor browser processes loading Silverlight assemblies from unusual paths. - Inspect network traffic for XAP file downloads from untrusted domains.
- Correlate endpoint telemetry with the CISA Known Exploited Vulnerabilities catalog and EUVD entries for CVE-2013-0074.
Assessment
With an EPSS probability of ~82% and placement in the 99.6th percentile, this CVE carries an exceptionally high likelihood of exploitation. Its inclusion in both the CISA KEV catalog and the EUVD exploited-vulnerabilities list confirms real-world active use. The primary lesson is that plug-in technologies with deep OS integration create long-tail risk: even after vendor support ends, unpatched instances in enterprise environments remain attractive targets. Organizations should treat Silverlight as a legacy attack surface and prioritize removal over continued patching.
References
- http://www.us-cert.gov/ncas/alerts/TA13-071A
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-022
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16516
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16565
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-0074
Frequently asked questions
- What is CVE-2013-0074?
- Microsoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0 does not properly validate pointers during HTML object rendering, which allows remote attackers to execute arbitrary code via a crafted Silverlight application, aka "Silverlight Double Dereference Vulnerability."
- How severe is CVE-2013-0074?
- CVE-2013-0074 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2013-0074 being actively exploited?
- Yes. CVE-2013-0074 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-05-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2013-0074?
- CVE-2013-0074 affects Microsoft Silverlight. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2013-0074?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2013-0074 have an EU (EUVD) identifier?
- Yes. CVE-2013-0074 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2013-0117. It is also flagged as exploited in the EUVD (since 2022-05-25).
- When was CVE-2013-0074 published?
- CVE-2013-0074 was published on 2013-03-13 and last updated on 2026-06-16.
References
- http://www.us-cert.gov/ncas/alerts/TA13-071A
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-022
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16516
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16565
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-0074
Affected products (1)
- cpe:2.3:a:microsoft:silverlight:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Silverlight
- CVE-2015-6166 — Critical (CVSS 9.3): Microsoft Silverlight 5 before 5.1.41105.00 allows remote attackers to execute arbitrary code or cause a denial of…
- CVE-2015-6108 — Critical (CVSS 9.3): The Windows font library in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8;…
- CVE-2015-2464 — Critical (CVSS 9.3): Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server…
- CVE-2015-2463 — Critical (CVSS 9.3): Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server…
- CVE-2015-2456 — Critical (CVSS 9.3): Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server…
- CVE-2015-2455 — Critical (CVSS 9.3): Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server…