ThreatLevelBeta
Planned Fix

CVE-2013-3900

Microsoft WinVerifyTrust function Remote Code Execution
Loading...

Summary

A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for PE files. An attacker can modify a signed PE file so malicious code sits in unverified portions of the file without invalidating the signature. A victim must run or install the crafted file, and the payload executes in the context of the launched process or user.

Why Planned Fix?

4/6
No authentication required
Internal deployment
User interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
Yes
github.com
Impact

Execute arbitrary code in the context of the launched signed PE file, potentially taking full control if the user has elevated rights.

Full System Compromise
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker prepares a signed PE file and appends or hides malicious code in the unverified portion of the file. The attacker then delivers the file through email, a download site, or another social-engineering channel and convinces the victim to run or install it. When Windows validates the signature with WinVerifyTrust, the signature still appears valid, but the appended code is executed when the file launches.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable NessusQualys
2

Affected Software

Vendor:Microsoft
ProductAffected Versions
WindowsXP SP2/SP3, Server 2003 SP2, Vista SP2, Server 2008 SP2/R2 SP1, 7 SP1, 8, 8.1, Server 2012/2012 R2, RT/RT 8.1; on Windows 10/11 the stricter Authenticode verification is opt-in via EnableCertPaddingCheck
Description

Microsoft Windows is a desktop and server operating system family. WinVerifyTrust is the Windows API used to verify the trust and digital signatures of files such as PE executables.

Deployment:Typically internal
|
Protocol:
|
Ports:
Affected ComponentWinVerifyTrust Authenticode signature verification for portable executable (PE) files.

WinVerifyTrust Authenticode signature verification for portable executable (PE) files.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Enable stricter Authenticode verification by setting EnableCertPaddingCheck=1 under HKLM\Software\Microsoft\Cryptography\Wintrust\Config and the Wow6432Node equivalent on 64-bit systems, then reboot.

Enable stricter Authenticode verification by setting EnableCertPaddingCheck=1 under HKLM\Software\Microsoft\Cryptography\Wintrust\Config and the Wow6432Node equivalent on 64-bit systems, then reboot.

msrc.microsoft.com
Patch

Not available

Update
Install the Microsoft security update for MS13-098 (KB2893294) on affected legacy Windows versions to fix WinVerifyTrust signature validation.

Install the Microsoft security update for MS13-098 (KB2893294) on affected legacy Windows versions to fix WinVerifyTrust signature validation.

learn.microsoft.com
Threat Intelligence
EPSS Score76.2%

Probability of exploitation in the next 30 days

EPSS Percentile99%

Worse than 99% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
cloud.google.com
Threat Actors1
UNC4736

suspected North Korean nexus cluster tied to 3CX and cryptocurrency/fintech-related services

Detection Rules1
Other
Alert on signed PE files whose WIN_CERTIFICATE padding or appended data is non-zero, especially when the file is launched from email/download locations.

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10 and Windows 11. While the format is different from the original CVE published in 2013, except for clarifications about how to configure the EnableCertPaddingCheck registry value, the information herein remains unchanged from the original text published on December 10, 2013, Microsoft does not plan to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. This behavior remains available as an opt-in feature via reg key setting, and is available on supported editions of Windows released since December 10, 2013. This includes all currently supported versions of Windows 10 and Windows 11. The supporting code for this reg key was incorporated at the time of release for Windows 10 and Windows 11, so no security update is required; however, the reg key must be set. See the Security Updates table for the list of affected software. Vulnerability Description A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable (PE) files. An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of this vulnerability requires that a user or application run or install a specially crafted, signed PE file. An attacker could modify an... See more at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

CVSS Base Score

5.5
Medium

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-347 Improper Verification of Cryptographic SignatureCWE-347 Improper Verification of Cryptographic SignatureCWE-347 Improper Verification of Cryptographic Signature
|
NVD:CVE-2013-3900
|
Version From:
|
Version Upto:

Affected Software (CPE) (31)

  • cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10_20h2:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10_21h1:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_11_24h2:-:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_11_24h2:-:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2022_23h2:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2025:-:*:*:*:*:*:*:*

Sources

8
SourceArticle
msrc.microsoft.comCVE-2013-3900 Security Update Guide
learn.microsoft.comMicrosoft Security Bulletin MS13-098
nvd.nist.govCVE-2013-3900 Detail
cloud.google.com3CX Software Supply Chain Compromise
notifications.qualys.comQualys Coverage for CVE-2013-3900
tenable.comCVE-2013-3900
learn.microsoft.comWinVerifyTrust function
github.comSigFlip

Priority History

Planned FixLoading...

Initial analysis