CVE-2013-3900 | WinVerifyTrust Signature Validation Vulnerability

Exp

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10 and Windows 11. While the format is different from the original CVE published in 2013, except for clarifications about how to configure the EnableCertPaddingCheck registry value, the information herein remains unchanged from the original text published on December 10, 2013, Microsoft does not plan to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. This behavior remains available as an opt-in feature via reg key setting, and is available on supported editions of Windows released since December 10, 2013. This includes all currently supported versions of Windows 10 and Windows 11. The supporting code for this reg key was incorporated at the time of release for Windows 10 and Windows 11, so no security update is required; however, the reg key must be set. See the Security Updates table for the list of affected software. Vulnerability Description A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable (PE) files. An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of this vulnerability requires that a user or application run or install a specially crafted, signed PE file. An attacker could modify an... See more at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

Published: 2013-12-10 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2013-3900 is rated Active Exploitation (76.5/100): CVSS Medium severity, with high exploitation likelihood (EPSS 44.65%, 99th percentile). CISA KEV confirms active exploitation (added 2022-01-10) affecting Microsoft / WinVerifyTrust function. a weakness (CWE-347) Unauthenticated remote administrative access may be possible. The CISA remediation deadline has passed—treat as an emergency patch priority.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

CISA KEV Record for CVE-2013-3900

Name: Microsoft WinVerifyTrust function Remote Code Execution · CISA KEV detail

Exploit added: 2022-01-10

Action due: 2022-07-10

Required action: Apply updates per vendor instructions.

Exploit prediction scoring system (EPSS) score for CVE-2013-3900

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 76.15% 44.65% -31.50%
2 2026-06-14 75.82% 76.15% +0.33%
3 2026-06-08 75.82%

Full EPSS history (64 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2013-3900

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.5 3.1 MEDIUM
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.
 1.8 3.6 [email protected]
8.8 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 2.8 5.9 [email protected]
8.8 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 2.8 5.9 134c704f-9b21-4f2e-91b3-4a467353bcc0
7.6 2.0 HIGH
AV:N/AC:H/Au:N/C:C/I:C/A:C Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:H)
Exploitation requires uncommon or highly specific conditions.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:C)
Complete confidentiality impact.
Integrity impact (I:C)
Complete integrity impact.
Availability impact (A:C)
Complete availability impact.
 4.9 10.0 [email protected]

Weakness enumeration for CVE-2013-3900

Affected software / configurations for CVE-2013-3900

Vendor Product Version Raw CPE
microsoft windows_10_1507 cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:*:*
microsoft windows_10_1607 cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:*
microsoft windows_10_1607 cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x86:*
microsoft windows_10_1809 cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:arm64:*
microsoft windows_10_1809 cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x64:*
microsoft windows_10_1809 cpe:2.3:o:microsoft:windows_10_1809:-:*:*:*:*:*:x86:*
microsoft windows_10_1909 cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:*:*
microsoft windows_10_20h2 cpe:2.3:o:microsoft:windows_10_20h2:-:*:*:*:*:*:*:*
microsoft windows_10_21h1 cpe:2.3:o:microsoft:windows_10_21h1:-:*:*:*:*:*:*:*
microsoft windows_10_21h2 cpe:2.3:o:microsoft:windows_10_21h2:-:*:*:*:*:*:*:*
microsoft windows_10_22h2 cpe:2.3:o:microsoft:windows_10_22h2:-:*:*:*:*:*:arm64:*
microsoft windows_11_21h2 cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:arm64:*
microsoft windows_11_21h2 cpe:2.3:o:microsoft:windows_11_21h2:-:*:*:*:*:*:x64:*
microsoft windows_11_22h2 cpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:arm64:*
microsoft windows_11_22h2 cpe:2.3:o:microsoft:windows_11_22h2:-:*:*:*:*:*:x64:*
microsoft windows_11_23h2 cpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:arm64:*
microsoft windows_11_23h2 cpe:2.3:o:microsoft:windows_11_23h2:-:*:*:*:*:*:x64:*
microsoft windows_11_24h2 cpe:2.3:o:microsoft:windows_11_24h2:-:*:*:*:*:*:arm64:*
microsoft windows_11_24h2 cpe:2.3:o:microsoft:windows_11_24h2:-:*:*:*:*:*:x64:*
microsoft windows_7 cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
microsoft windows_8.1 cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
microsoft windows_rt_8.1 cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
microsoft windows_server_2008 cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
microsoft windows_server_2008 r2 cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
microsoft windows_server_2012 cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
microsoft windows_server_2012 r2 cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
microsoft windows_server_2016 cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
microsoft windows_server_2019 cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
microsoft windows_server_2022 cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*
microsoft windows_server_2022_23h2 cpe:2.3:o:microsoft:windows_server_2022_23h2:-:*:*:*:*:*:*:*
microsoft windows_server_2025 cpe:2.3:o:microsoft:windows_server_2025:-:*:*:*:*:*:*:*

References for CVE-2013-3900

cvelogic Threat Intelligence