CVE-2013-3918

HIGH CISA KEV

The InformationCardSigninHelper Class ActiveX control in icardie.dll in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via a crafted web page that is accessed by Internet Explorer, as exploited in the wild in November 2013, aka "InformationCardSigninHelper Vulnerability."

Published: Nov 12, 2013 Modified: Apr 22, 2026

CWE-787 CWE-787

CVSS Metrics

CVSSv3

Attack Vector: NETWORK Attack Complexity: LOW Privileges Required: NONE User Interaction: REQUIRED Scope: UNCHANGED Confidentiality Impact: HIGH Integrity Impact: HIGH Availability Impact: HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products (14)

Vendor	Product	Version
microsoft	windows_7	-
microsoft	windows_8	-
microsoft	windows_8.1	-
microsoft	windows_rt	-
microsoft	windows_rt_8.1	-
microsoft	windows_server_2003	-
microsoft	windows_server_2008	r2
microsoft	windows_server_2008	r2
microsoft	windows_server_2008	sp2
microsoft	windows_server_2012	-
microsoft	windows_server_2012	r2
microsoft	windows_vista	-
microsoft	windows_xp	-
microsoft	windows_xp	-

References (16)

http://blogs.technet.com/b/msrc/archive/2013/11/11/activex-control-issue-being-addressed-in-update-tuesday.aspx Third Party Advisory
http://www.darkreading.com/vulnerability/new-ie-vulnerability-found-in-the-wild-s/240163814/ Broken Link
http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.html Third Party Advisory
http://www.us-cert.gov/ncas/alerts/TA13-317A Third Party Advisory, US Government Resource
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-090 Patch, Vendor Advisory
https://isc.sans.edu/forums/diary/16985 Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19089 Third Party Advisory, Broken Link
http://blogs.technet.com/b/msrc/archive/2013/11/11/activex-control-issue-being-addressed-in-update-tuesday.aspx Third Party Advisory
http://www.darkreading.com/vulnerability/new-ie-vulnerability-found-in-the-wild-s/240163814/ Broken Link
http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.html Third Party Advisory
http://www.us-cert.gov/ncas/alerts/TA13-317A Third Party Advisory, US Government Resource
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-090 Patch, Vendor Advisory
https://isc.sans.edu/forums/diary/16985 Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19089 Third Party Advisory, Broken Link
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-3918 US Government Resource

Risk Scores

CVSS Score 8.8 / 10

EPSS Score 73.87%

Top 1% most likely to be exploited

Threat Score 87.4 / 100

CISA Known Exploited

Date Added: 2025-10-06

Due Date: 2025-10-27

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Data Sources

NVD CISA KEV EPSS