CVE-2017-8759 | .NET Framework Remote Code Execution Vulnerability – An analysis by Quick Heal Security Labs

  • 4

The recent zero-day vulnerability in .NET Framework vulnerability CVE-2017-8759 enables attackers to perform a Remote Code Execution on the targeted machine. This vulnerability is found to be exploited in the wild through email spam messages loaded with malicious RTF files as an attachment. Microsoft has released a security update on September 12, 2017, to fix this issue.

Vulnerable Versions

The below versions of Microsoft Frameworks are affected by this vulnerability:

• Microsoft .NET Framework 2.0 SP2
• Microsoft .NET Framework 3.5
• Microsoft .NET Framework 3.5.1
• Microsoft .NET Framework 4.5.2
• Microsoft .NET Framework 4.6
• Microsoft .NET Framework 4.6.1
• Microsoft .NET Framework 4.6.2/4.7
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7
• Microsoft .NET Framework 4.7


This is a code injection vulnerability in SOAP Moniker which allows an attacker to perform a remote code execution on the targeted machine. After successful exploitation, the attacker can take control of vulnerable system and download and execute programs on the affected system at will.

The malicious RTF document, which is an initial attack vector, makes a request to a CNC server and downloads vulnerable SOAP WSDL content.

Fig 1. SOAP WSDL Content

Fig 1. SOAP WSDL Content

The vulnerability triggers while parsing the SOAP WSDL content and malicious payloads get downloaded and executed on the victim’s machine.

Quick Heal Detections

Quick Heal has released the following detections for the vulnerability CVE-2017-8759

  • Virus Protection
    • Exp.RTF.CVE-2017-8759
    • VID-03201 – .NET Framework Remote Code Execution Vulnerability

The observed payload in the wild delivered after the exploitation of this vulnerability was FINSPY. The payload is detected by Quick Heal as “Backdoor.FinSpy”.

This exploit is already being used in the wild and we expect more malicious campaigns will make use of this vulnerability in the future. Microsoft has patched this vulnerability and updates are available here. We strongly recommend users to apply these updates and also take the latest security updates by Quick Heal.

Subject Matter Expert

  • Pavankumar Chaudhari | Quick Heal Security Labs
Pavankumar Chaudhari

Pavankumar Chaudhari

No Comments, Be The First!

Your email address will not be published.