# [CRIT] CISA KEV: CVE-2017-8540 — Microsoft Malware Protection Engine Improper Restriction of Operations Vulnerability **Source:** CISA KEV **Published:** 2022-03-03 **Article:** https://www.cisa.gov/known-exploited-vulnerabilities-catalog ## Threat Profile CISA KEV entry. The U.S. federal "Known Exploited Vulnerabilities" catalog only adds CVEs that have been **observed exploited in the wild**. Federal civilian agencies are required to remediate by the published due date; the same prioritisation logic applies to any sensible enterprise SOC. Vendor / Product: **Microsoft Malware Protection Engine Improper Restriction of Operations** ## Indicators of Compromise - CVE-2017-8540 — match against your vulnerability scanner ## MITRE ATT&CK - **T1190 — Exploit Public-Facing Application** (KEV implies active exploitation against exposed assets) ## Recommended hunts Standard asset-exposure hunt — the canonical Splunk SPL and Defender KQL live once in [`../_TEMPLATES.md#asset-exposure`](../_TEMPLATES.md#asset-exposure). Substitute this CVE wherever the template references ``: - **CVE:** `CVE-2017-8540` ## Why this matters Anything in CISA KEV is *currently* being exploited. Even if your scanners say "not vulnerable" because of patches, it's worth one quick check across your fleet — patch lag is the silent killer. Federal due-date dates also frequently match the timing your organisation will be asked about by auditors / regulators. ## Source body The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016, Microsoft Exchange Server 2013 and 2016, does not properly scan a specially crafted file leading to memory corruption. aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability". Vendor: Microsoft, Product: Malware Protection Engine. Federal patch due: 2022-03-24. CVE-2017-8540