Search
On this page ▾
CVE-2016-0185 — Microsoft Windows Media Center Remote Code Execution Vulnerability

CVE-2016-0185

Windows Media Center — Crafted .MCL File References Malicious Code Enabling RCE; Inaugural CISA KEV; Patched MS16-059 (May 2016)
⚠️ CVSS 3.1  7.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is Windows Media Center?

Windows Media Center was a media application included with certain Windows editions (XP Media Center Edition through Windows 7, optional on Windows 8.x) providing a 10-foot user interface for media playback, TV recording, and media library management. Media Center Link (.mcl) files are XML-based shortcut files that Windows Media Center uses to launch media content or applications — similar to how browser shortcuts or URL files work, but for Media Center.

Because .mcl files reference content locations that Media Center opens directly, a crafted .mcl file can reference a malicious executable or UNC path, causing Media Center to execute arbitrary code when the file is opened. This class of vulnerability — "shortcut file references malicious content" — has appeared repeatedly across different file formats (.lnk, .url, .mcl) throughout Windows history.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on November 3, 2021. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2016-0185 is a remote code execution vulnerability in Windows Media Center where opening a specially crafted Media Center Link (.mcl) file causes Media Center to execute malicious code referenced by the file. The .mcl file references a malicious executable — potentially hosted on a network share or embedded in an email attachment — and Media Center opens it without adequate validation. The AV:L attack vector reflects that the attacker must get the victim to open the crafted .mcl file locally. Patched in MS16-059 (May 10, 2016). CVE-2016-0185 was included in the inaugural CISA KEV catalog launch on November 3, 2021.

Affected Versions

Product Status
Windows Media Center on Windows Vista SP2 Vulnerable
Windows Media Center on Windows 7 SP1 Vulnerable
Windows Media Center on Windows 8 / 8.1 Vulnerable

Fixed in MS16-059 (May 2016 Patch Tuesday). Windows 10 does not include Windows Media Center — it was removed from Windows 10.

Technical Details

Root Cause: Crafted .MCL File References Malicious Content

CVE-2016-0185 exploits how Windows Media Center processes .mcl (Media Center Link) files. These XML-formatted files specify content locations for Media Center to open. The vulnerability exists because Media Center fails to adequately validate the content location specified in a crafted .mcl file — allowing a malicious file to reference:

  • A remote UNC path to a malicious executable (\\attacker-server\share\malware.exe)
  • A local path to a dropped payload
  • Other content types that Media Center handles without appropriate trust restrictions

When the user opens the crafted .mcl file (by double-clicking it in Explorer, receiving it via email, or being directed to open it), Media Center processes the file and executes the referenced content as code.

Attack Delivery

The typical delivery pattern for .mcl-based RCE:

  1. Crafted .mcl file — attacker creates a .mcl file referencing malicious content
  2. Delivery — sent via email attachment, downloaded from a web site, or placed on a network share
  3. User opens file — double-clicking the .mcl opens it in Windows Media Center
  4. Malicious content executes — Media Center loads and executes the referenced malicious code at the user's privilege level

The UI:R CVSS component reflects that this step requires user action (opening the file), which is typically achieved through social engineering.

Attack Characteristics

Attribute Detail
Attack Vector Local — crafted .mcl file opened by user
User Interaction Required (open crafted .mcl file)
File Type .mcl (Windows Media Center Link)
Delivery Email attachment, download, network share
Content Type XML-based shortcut referencing malicious executable

Discovery

Reported to Microsoft and patched in MS16-059 (May 2016 Patch Tuesday).

Exploitation Context

  • Shortcut file RCE class: CVE-2016-0185 belongs to a recurring class of Windows vulnerability where shortcut or link files (.lnk, .url, .mcl) reference malicious content; this class is effective because file associations cause these files to be processed automatically when opened, and users are accustomed to opening these file types
  • Social engineering delivery: Attackers delivered crafted .mcl files via phishing emails ("view your media content") or malicious downloads; the Windows Media Center association makes the file appear legitimate and media-related
  • Inaugural CISA KEV: CVE-2016-0185 was selected for the inaugural CISA KEV catalog launch in November 2021, reflecting Microsoft's assessment that exploitation remained active years after the patch
  • Windows Media Center removal: Windows 10 does not include Windows Media Center, effectively removing this attack surface on modern Windows systems; Windows 7 (EOL January 2020) was the primary exposure platform
  • CISA KEV (2021): Added November 2021

Remediation

CISA BOD 22-01 Deadline: May 3, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply MS16-059 (May 2016). Any Windows system current with Windows Update after May 2016 includes this fix.

  2. Upgrade to Windows 10/11 — Windows 10 does not include Windows Media Center, permanently removing this attack surface. Upgrade from Windows 7/8 (both EOL) to current Windows versions.

  3. Remove Windows Media Center — on Windows 8/8.1 where Media Center is optional, uninstall it if not needed via Control Panel → Programs → Turn Windows features on or off.

  4. Block .mcl file associations — configure email security gateways to block .mcl file attachments; configure Windows file association policies to prevent .mcl files from being opened automatically without user confirmation.

Key Details

PropertyValue
CVE ID CVE-2016-0185
Vendor / Product Microsoft — Windows
NVD Published2016-05-11
NVD Last Modified2025-10-22
CVSS 3.1 Score7.8
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-426 — Untrusted Search Path find similar ↗
CISA KEV Added2021-11-03
CISA KEV Deadline2022-05-03
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-05-03. Apply updates per vendor instructions.

Timeline

DateEvent
2016-05-10Microsoft Security Bulletin MS16-059 released; CVE-2016-0185 patched (May 2016 Patch Tuesday)
2016-05-11CVE-2016-0185 published by NVD
2021-11-03Added to CISA Known Exploited Vulnerabilities catalog (inaugural KEV catalog launch)
2022-05-03CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2016-0185 Vulnerability Database
CISA KEV Catalog Entry US Government
Microsoft Security Bulletin MS16-059 — Security Update for Windows Media Center Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML