How to fix CVE-2018-8174?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. If patching is delayed, consider network segmentation to limit exposure.

Is Windows affected by CVE-2018-8174?

CVE-2018-8174 presents notable security risk, a out-of-bounds write vulnerability rated CVSS 7.5. Exploitation could allow attackers to corrupt memory, crash the application, or potentially execute arbitrary code.

CVE-2018-8174

HIGH

2018-05-09 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 26, 2026 - 11:18 vuln.today

Patch Released

Oct 28, 2025 - 14:13 nvd

Patch available

PoC Detected

Oct 28, 2025 - 14:13 vuln.today

Public exploit code

Added to CISA KEV

Oct 28, 2025 - 14:13 cisa

CISA KEV

CVE Published

May 09, 2018 - 19:29 nvd

HIGH 7.5

Description

A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

Analysis

The Windows VBScript engine contains a remote code execution vulnerability in object handling that allows full system compromise through crafted web pages, exploited in the wild as a zero-day before the May 2018 patch.

Technical Context

The CWE-787 out-of-bounds write in the VBScript engine (vbscript.dll) is triggered when processing crafted VBScript code that manipulates object references. The exploit uses use-after-free techniques to gain arbitrary read/write primitives, enabling full code execution. Delivered through IE or Office documents embedding VBScript.

Affected Products

['Microsoft Windows 7 through Windows 10', 'Microsoft Windows Server 2008 through Server 2016', 'Internet Explorer (VBScript engine)', 'Microsoft Office (via embedded VBScript)']

Remediation

Apply Microsoft security update. Disable VBScript in IE via registry or Group Policy. Restrict IE to trusted sites only. Use modern browsers that don't support VBScript.

Priority Score

212

Low Medium High Critical

KEV: +50

EPSS: +94.3

CVSS: +38

POC: +20

CVE-2018-8174 vulnerability details – vuln.today

Back

CVE-2018-8174

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2018-8174

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code