What happened

CISA added CVE-2008-0015 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-02-17, establishing a remediation due date of 2026-03-10 for impacted federal enterprises CISA KEV catalog. The vulnerability is a remote code execution (RCE) flaw in the Microsoft Windows Video ActiveX Control, tracked as “Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability” NVD CVE-2008-0015. Exploitation is achievable through a specially crafted web page that, when viewed by a user, can execute arbitrary code MITRE CVE record. Successful exploitation yields code execution with the same privileges as the logged-on user, not elevated to administrator by default NVD CVE-2008-0015. CISA’s entry flags this as actively exploited and mandates action per vendor guidance or discontinuation if mitigations are unavailable CISA KEV catalog.

Why it matters

Inclusion in CISA’s KEV means in-the-wild exploitation has been observed and federal civilian agencies are obligated to remediate within the set window CISA KEV catalog. The bug enables web-delivered RCE via a malicious page, shrinking attacker friction to a single visit and bypassing traditional attachment or installer-based delivery NVD CVE-2008-0015. Because the payload runs with the current user’s permissions, compromise of a user session can directly hand over session tokens, data access, and execution footholds aligned to that user context MITRE CVE record. Drive-by code-execution vulnerabilities like this remain high-value to threat actors given their scalability and the ease of embedding lures in web content, ad slots, or compromised sites CISA KEV catalog.

Technical detail

The vulnerable component is a Windows Video ActiveX Control, which can be instantiated by web content and abused to run attacker-controlled code NVD CVE-2008-0015. The attack vector is a crafted web page that triggers the control in a way that leads to execution of arbitrary code supplied by the attacker MITRE CVE record. No special privileges are required to trigger the condition; the outcome is code execution within the security context of the user who viewed the page NVD CVE-2008-0015. CISA’s KEV designation confirms current exploitation, elevating this from a theoretical risk to an operational threat that defenders should treat as active CISA KEV catalog.

In practical terms, the exploit path looks like: a user browses to an attacker-controlled or compromised site; the page contains content designed to interact with the vulnerable Video ActiveX Control; the control processes malicious input and transfers execution to attacker code MITRE CVE record. The payload then runs with the logged-on user’s rights, enabling whatever that account can reach—files, network shares, or user-scope configuration—consistent with the CVE’s impact description NVD CVE-2008-0015.

Defense

• Prioritize remediation as directed by CISA’s KEV: apply vendor mitigations where available, follow the applicable KEV/BOD workflows, or discontinue use if mitigations are not available CISA KEV catalog.
• Treat browsing pathways as an immediate exposure for this CVE. The exploit vector is a crafted web page that triggers the vulnerable control; minimize the opportunity for untrusted web content to load such components while remediation is underway NVD CVE-2008-0015.
• Detection and monitoring: flag browser sessions that attempt to interact with Windows Video ActiveX components in unusual ways and watch for post-browse execution anomalies (child process spawns, script interpreters, or suspicious DLL loads) tied to the browsing context MITRE CVE record.
• Validate least privilege. Because successful exploitation runs with the user’s rights, ensuring users operate without unnecessary privileges limits blast radius if a session is compromised NVD CVE-2008-0015.
• Track and close by the KEV due date (2026-03-10) across all in-scope assets; document exceptions only where discontinuation or isolation is enforced CISA KEV catalog.

Lyrie Verdict

This is a classic drive-by RCE on a Windows Video ActiveX Control: a web page can hand an attacker code execution in the current user’s context NVD CVE-2008-0015. KEV confirmation means adversaries are actively working this angle now, not hypothetically later CISA KEV catalog. Lyrie’s autonomous sensors watch for the specific pre-exploitation sequence—untrusted web content attempting to instantiate and exercise Windows Video ActiveX functionality—and correlate that with immediate process behavior to preempt code execution at machine speed MITRE CVE record. We don’t wait for analyst eyes-on; we break the kill chain as the page loads, isolate the session, and block follow-on actions aligned to the user context. For organizations still burning down exposure, keep Lyrie inline on browsing egress—this class of web-triggered control abuse is exactly where autonomous, anti-rogue-AI defense pays for itself in seconds CISA KEV catalog.