CVE-2018-8174
CVE-2018-8174 is a high-severity vulnerability in Microsoft Windows 10 1607 with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-02-15). The underlying weakness is classified as CWE-787.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v2: 7.6
- EPSS exploit prediction: 88% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-02-15)
- EU (EUVD) id: EUVD-2018-19844
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-02-15)
- Weakness: CWE-787
- Affected product: Microsoft Windows 10 1607
- Published:
- Last modified:
Description
A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
CVE-2018-8174: Windows VBScript Engine Remote Code Execution (CWE-787)
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2018-8174 |
| Published | 2018-05-09 |
| CVSS v2 | 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) |
| CVSS v3 | 7.5 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) |
| CWE | CWE-787 (Out-of-bounds Write) |
| EPSS | 0.87814 (99.7th percentile) |
| KEV | Yes (added 2022-02-15) |
| EU Exploited | Yes (since 2022-02-15) |
Summary
A remote code execution vulnerability exists in the Windows VBScript engine due to improper handling of objects in memory. An attacker can exploit this flaw to execute arbitrary code in the security context of the current user.
Background
CVE-2018-8174 affects the VBScript engine shipped with multiple Windows versions. VBScript (Visual Basic Scripting Edition) is an Active Scripting language developed by Microsoft, historically used in web pages via Internet Explorer and in Windows-based administration scripts. The vulnerability stems from how the VBScript engine manages object lifecycles and memory buffers when processing malformed input.
Root Cause
The vulnerability is classified as CWE-787: Out-of-bounds Write. The VBScript engine fails to properly validate boundaries when writing to memory buffers during object handling. This memory corruption flaw allows an attacker to overwrite adjacent memory regions, leading to arbitrary code execution. The high attack complexity (AC:H) in the CVSS vector reflects that the attacker must craft a specialized payload to reliably trigger the out-of-bounds condition.
Impact
| Metric | Rating |
|---|---|
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | HIGH |
| Scope | UNCHANGED |
Successful exploitation grants the attacker access to sensitive data, the ability to modify system files or install programs, and the capability to crash or render the system unusable. The CVSS v3.1 vector indicates that while network exploitation is possible, user interaction is required and the attack complexity is high.
Exploitation Walkthrough (Defensive Perspective)
Ethics caveat: This section describes the exploitation flow from a defensive standpoint to aid detection and mitigation. No weaponized exploit code or step-by-step attack instructions are provided.
Attackers typically deliver exploits for CVE-2018-8174 through malicious web pages or Office documents that embed VBScript. The exploitation chain generally follows these stages:
- Delivery: The victim is lured to a malicious website or opens a weaponized document containing crafted VBScript.
- Trigger: The VBScript engine processes the malformed script, triggering an out-of-bounds write during object manipulation.
- Memory Corruption: The out-of-bounds write corrupts adjacent memory structures, potentially hijacking execution flow.
- Code Execution: The attacker gains arbitrary code execution in the security context of the current user.
Defenders should monitor for suspicious VBScript execution, especially from untrusted documents or unexpected web traffic.
Affected and Patched Versions
Affected Products:
- Windows 7 SP1
- Windows 8.1
- Windows RT 8.1
- Windows 10 (versions 1607, 1703, 1709, 1803)
- Windows Server 2008 SP2
- Windows Server 2008 R2 SP1 (x64 and Itanium)
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
Patched Versions:
Microsoft released security updates for all affected versions. Organizations should verify patch levels via the Microsoft Security Response Center (MSRC) advisory.
Remediation
- Apply Security Updates: Install the Microsoft security updates referenced in the MSRC advisory for CVE-2018-8174.
- Disable VBScript: Where not required, disable VBScript execution in Internet Explorer and other applications.
- Application Whitelisting: Enforce application control policies to prevent execution of untrusted scripts.
- User Awareness: Train users to avoid opening untrusted documents and visiting suspicious websites.
- Compensating Controls: Implement Microsoft Defender Application Guard or similar sandboxing technologies to isolate untrusted web content.
Detection
- Monitor for anomalous VBScript execution in process creation logs (e.g.,
cscript.exeorwscript.exespawning unexpected child processes). - Inspect web proxy and email gateway logs for suspicious payloads containing VBScript.
- Use endpoint detection and response (EDR) tools to detect memory corruption patterns in the VBScript engine.
- Correlate exploitation indicators with the CISA KEV catalog and EUVD-2018-19844.
Assessment
With an EPSS score of 0.87814 (99.7th percentile) and confirmed inclusion in both the CISA Known Exploited Vulnerabilities (KEV) catalog and the EU Vulnerability Database (EUVD-2018-19844) since 2022-02-15, CVE-2018-8174 represents a critical and actively exploited threat. Organizations should prioritize patching on internet-facing systems and workstations with web/email access.
Key lessons:
- Legacy scripting engines remain high-value targets: VBScript, despite being legacy technology, continues to attract exploitation due to deep integration in Windows.
- High EPSS + KEV = immediate action: The combination of a high EPSS score and KEV confirmation should trigger accelerated patching timelines.
References
- http://www.securityfocus.com/bid/103998
- https://blog.0patch.com/2018/05/a-single-instruction-micropatch-for.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174
- https://www.exploit-db.com/exploits/44741/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-8174
Frequently asked questions
- What is CVE-2018-8174?
- A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
- How severe is CVE-2018-8174?
- CVE-2018-8174 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2018-8174 being actively exploited?
- Yes. CVE-2018-8174 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-02-15, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2018-8174?
- CVE-2018-8174 primarily affects Microsoft Windows 10 1607. In total, 13 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2018-8174?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2018-8174 have an EU (EUVD) identifier?
- Yes. CVE-2018-8174 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-19844. It is also flagged as exploited in the EUVD (since 2022-02-15).
- When was CVE-2018-8174 published?
- CVE-2018-8174 was published on 2018-05-09 and last updated on 2026-06-17.
References
- http://www.securityfocus.com/bid/103998
- https://blog.0patch.com/2018/05/a-single-instruction-micropatch-for.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174
- https://www.exploit-db.com/exploits/44741/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-8174
Affected products (13)
- cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1703:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1709:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_10_1803:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Windows 10 1607
- CVE-2026-47291 — Critical (CVSS 9.8): Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network.
- CVE-2026-44815 — Critical (CVSS 9.8): Stack-based buffer overflow in Windows DHCP Client allows an unauthorized attacker to execute code over a network.
- CVE-2026-33824 — Critical (CVSS 9.8): Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.
- CVE-2025-60724 — Critical (CVSS 9.8): Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a…
- CVE-2025-53766 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
- CVE-2025-47981 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over…
All CVEs affecting Microsoft Windows 10 1607 →
Other CWE-787 (Out-of-bounds Write) vulnerabilities
- CVE-2026-42369 — Critical (CVSS 10.0): GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other…
- CVE-2026-4746 — Critical (CVSS 10.0): Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is…
- CVE-2025-43300 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS…
- CVE-2025-24201 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in…
- CVE-2024-42479 — Critical (CVSS 10.0): llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause…
- CVE-2024-39791 — Critical (CVSS 10.0): Stack-based buffer overflow vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge…