HighCISA KEVExploited in the wildPublic exploit

Remote Code Execution in Microsoft GDI+ TIFF Parsing

IdentifiersCVE-2013-3906CWE-20

CVE-2013-3906 is a remote code execution vulnerability in Microsoft GDI+ affecting Windows Vista SP2, Windows Server 2008 SP2, Microsoft Office 2003 SP3, Office 2007 SP3, Office 2010 SP1/SP2, Office Compatibility Pack SP3, and Microsoft Lync 2010/2010 Attendee/2013/Basic 2013. The flaw can be triggered via a crafted TIFF image, including when embedded in a Microsoft Word document. Successful exploitation causes the vulnerable application to process the malicious TIFF through GDI+, leading to arbitrary code execution. The provided content does not identify the exact vulnerable function or memory-corruption primitive, so more specific root-cause detail is currently not available.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote arbitrary code execution in the context of the user opening or previewing the malicious content. In practical campaigns, this enabled initial compromise through spear-phishing documents and subsequent malware delivery. The content specifically notes in-the-wild exploitation in October and November 2013 and references Sandworm Team targeting, including use against a Polish energy firm.

Mitigation

If you can’t patch tonight, do this now.

Until patches are fully deployed, reduce exposure by blocking or quarantining Office documents and standalone TIFF files from untrusted sources, especially via email. Limit opening of unsolicited attachments, use Protected View and attachment sandboxing where available, and restrict execution paths for delivered payloads through application control and least-privilege user accounts. Because exploitation was observed through Word documents containing crafted TIFF images, email filtering and detonation of Office attachments are relevant compensating controls.

Remediation

Patch, then assume compromise.

Apply Microsoft's security updates for CVE-2013-3906 to all affected Windows, Office, Office Compatibility Pack, and Lync installations identified in the advisory. Prioritize patching systems that open untrusted Office documents or image content received via email. Upgrade unsupported or legacy Office deployments where possible to supported, fully patched versions.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationExcel Viewerapplication

Microsoft CorporationLyncapplication

Microsoft CorporationOfficeapplication

Microsoft CorporationOffice Compatibility Packapplication

Microsoft CorporationPowerpoint Viewerapplication

Microsoft CorporationWindows Server 2008operating_system

Microsoft CorporationWindows Vistaoperating_system

Microsoft CorporationWord Viewerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

fireeyeNews

Apr 1, 2015

A New Word Document Exploit Kit | FireEye Inc

A Microsoft Word exploit included in the Microsoft Word Intruder exploit pack.

web archiveNews

Oct 14, 2014

Sandworm Zero Day Vulnerability | iSIGHT Partners

Unknown (the content only notes it was used in targeting; it does not describe the vulnerability type or impact).

web archiveNews

Oct 14, 2014

Sandworm Zero Day Vulnerability | iSIGHT Partners

Unknown (the content only notes it was used against a Polish energy firm; no technical details are provided).

mitre attackNews

Jan 25, 2026

Exploitation for Client Execution, Technique T1203 - Enterprise | MITRE ATT&CK®

A Microsoft Word vulnerability involving crafted TIFF images exploited for code execution.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence2

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2013-3906

NVD

nvd.nist.gov/vuln/detail/CVE-2013-3906

MITRE CWE · CWE-20

cwe.mitre.org

Patch

technet.microsoft.com/security/advisory/2896666

Patch

docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-096

Third Party Advisory

exploit-db.com/exploits/30011

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-3906