Microsoft Malware Protection Engine < 1.1.13903 RCE

Critical Nessus Plugin ID 101027


The remote host has an antimalware application installed that is affected by a remote code execution vulnerability.


The version of Microsoft Malware Protection Engine (MMPE) installed on the remote Windows host is prior to 1.1.13903.0. It is, therefore, affected by a remote code execution vulnerability due to improper handling of files during scanning. An unauthenticated, remote attacker can exploit this, via a specially crafted file, to execute arbitrary code in the security context of the LocalSystem account. Note that only x86 or 32-bit based versions of the MMPE are affected by this vulnerability.

Nessus has checked if a vulnerable version of MMPE is being used by any of the following applications :

- Microsoft Forefront Endpoint Protection 2010.

- Microsoft Endpoint Protection.

- Microsoft Forefront Security for SharePoint.

- Microsoft System Center Endpoint Protection.

- Microsoft Security Essentials.

- Windows Defender for Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows 10 1511, Windows 10 1607, Windows 10 1703, and Windows Server 2016.

- Windows Intune Endpoint Protection.


Enable automatic updates to update the scan engine for the relevant antimalware applications.

See Also

Plugin Details

Severity: Critical

ID: 101027

File Name: microsoft_mpeng_1_1_13903.nasl

Version: $Revision: 1.6 $

Type: local

Agent: windows

Family: Windows

Published: 2017/06/23

Modified: 2017/12/18

Dependencies: 13855, 43164

Risk Information

Risk Factor: Critical


Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:ND


Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:X

Vulnerability Information

CPE: cpe:/o:microsoft:windows, cpe:/a:microsoft:malware_protection_engine

Required KB Items: SMB/Registry/Enumerated, SMB/ARCH

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2017/06/23

Vulnerability Publication Date: 2017/06/23

Reference Information

CVE: CVE-2017-8558

BID: 99262

OSVDB: 159764