Search
On this page ▾
CVE-2015-2425 — Microsoft Internet Explorer Memory Corruption Vulnerability

CVE-2015-2425

Internet Explorer — Memory Corruption via Crafted Web Page Enables RCE; July 2015 Patch Tuesday; Patched MS15-065
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is Internet Explorer?

Internet Explorer (IE) was Microsoft's web browser from 1995 through its discontinuation in June 2022. At its peak, IE held over 90% browser market share, making IE vulnerabilities the highest-impact browser attack surface. IE's rendering engine (Trident/MSHTML) and scripting engines (JScript, VBScript) were the target of continuous exploitation — the browser was the primary entry point for both APT attacks and mass criminal exploitation via exploit kits throughout the 2000s and 2010s.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on May 25, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2015-2425 is a memory corruption vulnerability in Microsoft Internet Explorer that allows remote attackers to execute arbitrary code or cause a denial-of-service when a user visits a specially crafted web page. The vulnerability involves out-of-bounds write memory corruption in the IE MSHTML rendering engine. Patched in MS15-065 (July 14, 2015), the same cumulative IE update that also addressed CVE-2015-2419 (JScript memory corruption). See also related IE vulnerabilities from this period: CVE-2015-2419 and CVE-2015-2502.

Affected Versions

Internet Explorer Status
IE 7 Vulnerable
IE 8 Vulnerable
IE 9 Vulnerable
IE 10 Vulnerable
IE 11 Vulnerable

Fixed in MS15-065 (July 2015 cumulative IE update).

Technical Details

Root Cause: MSHTML Memory Corruption

CVE-2015-2425 involves out-of-bounds write memory corruption in Internet Explorer's MSHTML rendering engine (the component that parses and renders HTML, CSS, and DOM content). Processing a specially crafted web page causes MSHTML to write beyond the bounds of an allocated buffer, corrupting adjacent heap memory.

IE MSHTML memory corruption vulnerabilities of this class are exploited through:

  1. Heap grooming — allocating and freeing specific objects to arrange the heap so the overflow corrupts a target object
  2. Information leak — combining with an ASLR bypass (e.g., CVE-2015-0071) to learn the memory layout
  3. ROP chain — building a return-oriented programming chain using known addresses to defeat DEP
  4. Code execution — the combined exploit achieves reliable code execution

Attack Characteristics

Attribute Detail
Attack Vector Network — visiting malicious web page
Authentication None required
User Interaction Required (visit the page)
Engine MSHTML (IE rendering engine)
Bulletin MS15-065 (July 2015)

Discovery

Reported to Microsoft and patched in MS15-065 (July 2015 cumulative IE update), which addressed approximately 25 vulnerabilities across IE 7–11.

Exploitation Context

  • Exploit kit integration: IE memory corruption vulnerabilities were the primary payload in commercial exploit kits in 2015; July 2015 IE bugs entered Angler and Nuclear kit rotations as n-day exploits following patch release
  • APT drive-by attacks: Nation-state actors used IE vulnerabilities in drive-by campaigns — compromising sites frequented by target organizations and exploiting visiting IE users
  • Retired product risk: Internet Explorer was retired June 15, 2022 with no further security updates; any remaining IE installation is permanently exposed to the full catalog of known IE vulnerabilities
  • CISA KEV (2022): Added May 2022

Remediation

CISA BOD 22-01 Deadline: June 15, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply MS15-065 (July 2015 cumulative IE update).

  2. Retire Internet Explorer — IE reached end-of-life June 15, 2022. Migrate all users to Microsoft Edge (Chromium), Chrome, or Firefox.

  3. Enforce Edge or Chrome as default browser via Group Policy — prevents IE from being used as the default browser.

  4. Block IE via AppLocker or WDAC if migration cannot be completed immediately.

Key Details

PropertyValue
CVE ID CVE-2015-2425
Vendor / Product Microsoft — Internet Explorer
NVD Published2015-07-14
NVD Last Modified2025-10-22
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-787 — Out-of-Bounds Write find similar ↗
CISA KEV Added2022-05-25
CISA KEV Deadline2022-06-15
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-06-15. Apply updates per vendor instructions.

Timeline

DateEvent
2015-07-14Microsoft Security Bulletin MS15-065 released; CVE-2015-2425 patched
2015-07-14CVE-2015-2425 published by NVD
2022-05-25Added to CISA Known Exploited Vulnerabilities catalog
2022-06-15CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2015-2425 Vulnerability Database
CISA KEV Catalog Entry US Government
Microsoft Security Bulletin MS15-065 — Security Update for Internet Explorer Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML