CVE-2012-0158

HIGH CISA KEV

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."

Published: Apr 10, 2012 Modified: Apr 22, 2026

CWE-94 CWE-94

CVSS Metrics

CVSSv3

Attack Vector: NETWORK Attack Complexity: LOW Privileges Required: NONE User Interaction: REQUIRED Scope: UNCHANGED Confidentiality Impact: HIGH Integrity Impact: HIGH Availability Impact: HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products (20)

Vendor	Product	Version
microsoft	office	2003
microsoft	office	2007
microsoft	office	2007
microsoft	office	2010
microsoft	office	2010
microsoft	office_web_components	2003
microsoft	sql_server_2000	-
microsoft	sql_server_2005	-
microsoft	sql_server_2008	-
microsoft	sql_server_2008	-
microsoft	sql_server_2008	r2
microsoft	sql_server_2008	r2
microsoft	biztalk_server	2002
microsoft	commerce_server	2002
microsoft	commerce_server	2007
microsoft	commerce_server_2009	-
microsoft	commerce_server_2009	r2
microsoft	visual_basic	6.0
microsoft	visual_foxpro	8.0
microsoft	visual_foxpro	9.0

References (25)

http://opensources.info/comment-on-the-curious-case-of-a-cve-2012-0158-exploit-by-chris-pierce/ Broken Link
http://www.securityfocus.com/bid/52911 Broken Link, Third Party Advisory, VDB Entry
http://www.securitytracker.com/id?1026899 Broken Link, Third Party Advisory, VDB Entry
http://www.securitytracker.com/id?1026900 Broken Link, Third Party Advisory, VDB Entry
http://www.securitytracker.com/id?1026902 Broken Link, Third Party Advisory, VDB Entry
http://www.securitytracker.com/id?1026903 Broken Link, Third Party Advisory, VDB Entry
http://www.securitytracker.com/id?1026904 Broken Link, Third Party Advisory, VDB Entry
http://www.securitytracker.com/id?1026905 Broken Link, Third Party Advisory, VDB Entry
http://www.us-cert.gov/cas/techalerts/TA12-101A.html Third Party Advisory, US Government Resource
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027 Patch, Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/74372 Third Party Advisory, VDB Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15462 Broken Link
http://opensources.info/comment-on-the-curious-case-of-a-cve-2012-0158-exploit-by-chris-pierce/ Broken Link
http://www.securityfocus.com/bid/52911 Broken Link, Third Party Advisory, VDB Entry
http://www.securitytracker.com/id?1026899 Broken Link, Third Party Advisory, VDB Entry

Risk Scores

CVSS Score 8.8 / 10

EPSS Score 94.31%

Top 0% most likely to be exploited

Threat Score 93.5 / 100

CISA Known Exploited

Date Added: 2021-11-03

Due Date: 2022-05-03

Required Action:

Apply updates per vendor instructions.

Data Sources

NVD CISA KEV EPSS