CVE-2018-8174

CVE-2018-8174 is a high-severity vulnerability in Microsoft Windows 10 1607 with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-02-15). The underlying weakness is classified as CWE-787.

Key facts

Description

A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

CVE-2018-8174: Windows VBScript Engine Remote Code Execution (CWE-787)

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2018-8174
Published 2018-05-09
CVSS v2 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVSS v3 7.5 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
CWE CWE-787 (Out-of-bounds Write)
EPSS 0.87814 (99.7th percentile)
KEV Yes (added 2022-02-15)
EU Exploited Yes (since 2022-02-15)

Summary

A remote code execution vulnerability exists in the Windows VBScript engine due to improper handling of objects in memory. An attacker can exploit this flaw to execute arbitrary code in the security context of the current user.

Background

CVE-2018-8174 affects the VBScript engine shipped with multiple Windows versions. VBScript (Visual Basic Scripting Edition) is an Active Scripting language developed by Microsoft, historically used in web pages via Internet Explorer and in Windows-based administration scripts. The vulnerability stems from how the VBScript engine manages object lifecycles and memory buffers when processing malformed input.

Root Cause

The vulnerability is classified as CWE-787: Out-of-bounds Write. The VBScript engine fails to properly validate boundaries when writing to memory buffers during object handling. This memory corruption flaw allows an attacker to overwrite adjacent memory regions, leading to arbitrary code execution. The high attack complexity (AC:H) in the CVSS vector reflects that the attacker must craft a specialized payload to reliably trigger the out-of-bounds condition.

Impact

Metric Rating
Confidentiality HIGH
Integrity HIGH
Availability HIGH
Scope UNCHANGED

Successful exploitation grants the attacker access to sensitive data, the ability to modify system files or install programs, and the capability to crash or render the system unusable. The CVSS v3.1 vector indicates that while network exploitation is possible, user interaction is required and the attack complexity is high.

Exploitation Walkthrough (Defensive Perspective)

Ethics caveat: This section describes the exploitation flow from a defensive standpoint to aid detection and mitigation. No weaponized exploit code or step-by-step attack instructions are provided.

Attackers typically deliver exploits for CVE-2018-8174 through malicious web pages or Office documents that embed VBScript. The exploitation chain generally follows these stages:

  1. Delivery: The victim is lured to a malicious website or opens a weaponized document containing crafted VBScript.
  2. Trigger: The VBScript engine processes the malformed script, triggering an out-of-bounds write during object manipulation.
  3. Memory Corruption: The out-of-bounds write corrupts adjacent memory structures, potentially hijacking execution flow.
  4. Code Execution: The attacker gains arbitrary code execution in the security context of the current user.

Defenders should monitor for suspicious VBScript execution, especially from untrusted documents or unexpected web traffic.

Affected and Patched Versions

Affected Products:

  • Windows 7 SP1
  • Windows 8.1
  • Windows RT 8.1
  • Windows 10 (versions 1607, 1703, 1709, 1803)
  • Windows Server 2008 SP2
  • Windows Server 2008 R2 SP1 (x64 and Itanium)
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

Patched Versions:
Microsoft released security updates for all affected versions. Organizations should verify patch levels via the Microsoft Security Response Center (MSRC) advisory.

Remediation

  1. Apply Security Updates: Install the Microsoft security updates referenced in the MSRC advisory for CVE-2018-8174.
  2. Disable VBScript: Where not required, disable VBScript execution in Internet Explorer and other applications.
  3. Application Whitelisting: Enforce application control policies to prevent execution of untrusted scripts.
  4. User Awareness: Train users to avoid opening untrusted documents and visiting suspicious websites.
  5. Compensating Controls: Implement Microsoft Defender Application Guard or similar sandboxing technologies to isolate untrusted web content.

Detection

  • Monitor for anomalous VBScript execution in process creation logs (e.g., cscript.exe or wscript.exe spawning unexpected child processes).
  • Inspect web proxy and email gateway logs for suspicious payloads containing VBScript.
  • Use endpoint detection and response (EDR) tools to detect memory corruption patterns in the VBScript engine.
  • Correlate exploitation indicators with the CISA KEV catalog and EUVD-2018-19844.

Assessment

With an EPSS score of 0.87814 (99.7th percentile) and confirmed inclusion in both the CISA Known Exploited Vulnerabilities (KEV) catalog and the EU Vulnerability Database (EUVD-2018-19844) since 2022-02-15, CVE-2018-8174 represents a critical and actively exploited threat. Organizations should prioritize patching on internet-facing systems and workstations with web/email access.

Key lessons:

  1. Legacy scripting engines remain high-value targets: VBScript, despite being legacy technology, continues to attract exploitation due to deep integration in Windows.
  2. High EPSS + KEV = immediate action: The combination of a high EPSS score and KEV confirmation should trigger accelerated patching timelines.

References

Frequently asked questions

What is CVE-2018-8174?
A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
How severe is CVE-2018-8174?
CVE-2018-8174 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2018-8174 being actively exploited?
Yes. CVE-2018-8174 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-02-15, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2018-8174?
CVE-2018-8174 primarily affects Microsoft Windows 10 1607. In total, 13 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2018-8174?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2018-8174 have an EU (EUVD) identifier?
Yes. CVE-2018-8174 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-19844. It is also flagged as exploited in the EUVD (since 2022-02-15).
When was CVE-2018-8174 published?
CVE-2018-8174 was published on 2018-05-09 and last updated on 2026-06-17.

References

Affected products (13)

More vulnerabilities in Microsoft Windows 10 1607

All CVEs affecting Microsoft Windows 10 1607 →

Other CWE-787 (Out-of-bounds Write) vulnerabilities

Browse all CWE-787 (Out-of-bounds Write) vulnerabilities →