What is the CVSS score of CVE-2012-0158?

CVE-2012-0158 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 94.3%.

Which versions of MSCOMCTL.OCX are affected by CVE-2012-0158?

CVE-2012-0158 is a critical remote code execution vulnerability in Microsoft MSCOMCTL.OCX that allows unauthenticated attackers to compromise systems through malicious Office documents or web…. A patch is available.

Is there a public PoC exploit available for CVE-2012-0158?

Yes, a public proof-of-concept exploit is available for CVE-2012-0158. Prioritise patching immediately. EPSS: 94.3%.

How to fix or mitigate CVE-2012-0158?

Within 24 hours: Identify all systems running Microsoft Office 2003-2010, SQL Server 2000-2008 R2, BizTalk Server, Visual Studio, or Visual Basic 6.0 Runtime using vulnerability scanning or SCCM asset inventory. Within 7 days: Deploy Microsoft Security Bulletin MS12-027 (released April 2012) patches to all identified systems; prioritize internet-facing servers and high-risk user endpoints. Within 30 days: Verify patch deployment via vulnerability re-scan, implement web content filtering to restrict .rtf and suspicious Office file downloads, and enable attack surface reduction rules in Windows Defender to block Office child processes.

MSCOMCTL.OCX CVE-2012-0158

HIGH

Code Injection (CWE-94)

2012-04-10 secure@microsoft.com

RCE Microsoft Code Injection

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 22, 2026 - 10:42 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 21, 2026 - 15:22 vuln.today

cvss_changed

Analysis Generated

Mar 26, 2026 - 11:18 vuln.today

Added to CISA KEV

Oct 22, 2025 - 01:15 cisa

CISA KEV

PoC Detected

Oct 22, 2025 - 01:15 vuln.today

Public exploit code

Patch released

Oct 22, 2025 - 01:15 nvd

Patch available

CVE Published

Apr 10, 2012 - 21:55 nvd

HIGH 8.8

DescriptionNVD

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."

AnalysisAI

Remote code execution in Microsoft MSCOMCTL.OCX ActiveX controls allows unauthenticated attackers to execute arbitrary code via maliciously crafted Office documents, RTF files, or web pages. Actively exploited since April 2012 and confirmed in CISA KEV catalog. Despite being patched in 2012, EPSS score of 94.32% (100th percentile) indicates continued exploitation attempts against unpatched systems. Affects broad Microsoft product ecosystem including Office 2003-2010, SQL Server 2000-2008 R2, BizTalk, Commerce Server, Visual FoxPro, and Visual Basic 6.0 Runtime.

Technical ContextAI

The vulnerability resides in four ActiveX controls (ListView, ListView2, TreeView, TreeView2) within MSCOMCTL.OCX, a shared component library used across Microsoft products for rendering common UI elements. The flaw is classified as CWE-94 (Code Injection) and allows attackers to trigger system state corruption when the ActiveX control parses specially crafted embedded objects. MSCOMCTL.OCX shipped with numerous Microsoft products from the late 1990s through 2010, creating extensive exposure. The ActiveX attack surface is particularly dangerous because these controls are automatically instantiated when processing Office documents, RTF files, or visiting web pages containing embedded objects, requiring no explicit user permission beyond opening the file. CPE data confirms impact spans Microsoft Office 2003 SP3 through 2010 SP1, Office Web Components 2003 SP3, SQL Server 2000 SP4 through 2008 R2, BizTalk Server 2002 SP1, Commerce Server 2002 SP4 through 2009 R2, Visual FoxPro 8.0 SP1 and 9.0 SP2, and Visual Basic 6.0 Runtime.

RemediationAI

Apply Microsoft Security Bulletin MS12-027 released April 2012 (https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027) which provides patches for all affected Microsoft products. For Office products, upgrade to patched versions of Office 2003 (post-MS12-027), Office 2007 (post-MS12-027), or Office 2010 SP1 with MS12-027 applied, or migrate to modern supported Office versions (2016 or later) which are not affected. For SQL Server, apply the cumulative updates specified in MS12-027 or upgrade to SQL Server 2012 or later. Organizations unable to patch immediately should implement application whitelisting to prevent execution of untrusted ActiveX controls via registry modifications (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628} killbit). Block Office documents and RTF files from untrusted sources at email gateways and web proxies. Disable ActiveX controls in Internet Explorer via Group Policy for non-essential users. Note that killbit workarounds may break legitimate functionality in applications relying on MSCOMCTL.OCX controls. Legacy products like Visual Basic 6.0 Runtime and BizTalk Server 2002 require vendor-specific patching or decommissioning as they are no longer supported.

More from same product – last 7 days

CVE-2026-40412 CRITICAL Monitor

10.0 May 22

Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous fil

CVE-2026-41104 CRITICAL Monitor

10.0 May 22

Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft mal

CVE-2026-23652 CRITICAL Monitor

10.0 May 22

Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-

CVE-2026-47280 CRITICAL Monitor

10.0 May 22

Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authenti

CVE-2026-42901 CRITICAL Monitor

10.0 May 22

Privilege escalation in Microsoft Entra ID enables remote unauthenticated attackers to bypass origin validation and gain

CVE-2012-0158 vulnerability details – vuln.today

Back

MSCOMCTL.OCX CVE-2012-0158

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code