Is CVE-2009-2493 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 43%.

What products does CVE-2009-2493 affect?

Tracked products affected include Microsoft Visual Studio. Check the version you run to see whether it is affected.

How do I fix CVE-2009-2493?

Apply the vendor fix promptly. Upgrade affected products to a fixed version.

CVE-2009-2493

Q: What is CVE-2009-2493?

CVE-2009-2493 is a high-severity software vulnerability (CWE-264) with a CVSS score of 8.8. The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1,

HIGH severity · CVSS 8.8 · CWE-264

8.8CVSS HIGH

Summary

The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka "ATL COM Initialization Vulnerability."

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionRequired

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)43%

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products we track (1)

Microsoft Visual Studio

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

CVE-2009-2493

Summary

Impact & exploitability

Affected products we track (1)

Recommendation

Additional information