COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2010-0249

CVE-2010-0249

Severity
high · on CISA KEV actively exploited
Source
CISA-KEV · kev
Published
2026-05-20
Reference
https://nvd.nist.gov/vuln/detail/CVE-2010-0249
⚡ RCE ⌖ exploited in the wild shame 45/100 rceexploited-in-wildransomwareunpatched

Microsoft Internet Explorer use-after-free vulnerability (CVE-2010-0249) allows remote code execution on EoL browsers.

This use-after-free flaw enables remote attackers to execute arbitrary code on Internet Explorer, a product Microsoft has marked as end-of-life and end-of-service. DIB organizations must ensure no legacy IE usage remains in their environments to avoid exploitation via compromised web content.

Shame score — While the vulnerability is actively exploited and linked to ransomware, the vendor has publicly disclosed it and marked the product as EoL, reducing the avoidability compared to negligent defaults.

Players implicated

Microsoft · vendorInternet Explorer · product

Description

Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

Affected FedRAMP products 4 in the catalog

ProductProviderStatusMatch
Azure Commercial Cloud Microsoft Authorized vendor-exact · 0.90
Azure Government (includes Dynamics 365) Microsoft Authorized vendor-exact · 0.90
Microsoft Office 365 GCC High Microsoft In Process vendor-exact · 0.90
Office 365 Multi-Tenant & Supporting Services Microsoft Authorized vendor-exact · 0.90