LiveActive security incident?Get immediate response
CVE Record

CVE-2013-3900: WinVerifyTrust Signature Validation Vulnerability

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10 and Windows 11. While the format is different from the original CVE published in 2013, except for clarifications about how to configure the EnableCertPaddingCheck registry value, the information herein remains unchanged from the original text published on December 10, 2013, Microsoft does not plan to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. This behavior remains available as an opt-in feature via reg key setting, and is available on supported editions of Windows released since December 10, 2013. This includes all currently supported versions of Windows 10 and Windows 11. The supporting code for this reg key was incorporated at the time of release for Windows 10 and Windows 11, so no security update is required; however, the reg key must be set. See the Security Updates table for the list of affected software. Vulnerability Description A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable (PE) files. An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of this vulnerability requires that a user or application run or install a specially crafted, signed PE file. An attacker could modify an... See more at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

HighCVSS 8.8Known exploitedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This Windows flaw can let a maliciously modified signed executable appear valid because Authenticode signature checking may ignore added content. If a user or application runs that file, an attacker could gain the user’s privileges, including full control when the user is an administrator.

Executive priority

Treat this as a high-priority Windows hardening gap because it is in CISA KEV and can turn trust in signed software against the organization. Prioritize endpoints and servers where users install software or run downloaded executables.

Technical view

CVE-2013-3900 is a WinVerifyTrust Authenticode validation issue for PE files, mapped to CWE-347. Microsoft states stricter validation is not default on supported Windows; EnableCertPaddingCheck is available as an opt-in registry setting. CVSS is 8.8, with network delivery, low complexity, no privileges, and user interaction required.

Likely exposure

Exposure centers on listed Windows client and server versions where signed PE files are executed or installed and stricter certificate padding validation is not enabled. Windows 10, Windows 11, and several Windows Server releases are named in the source bundle.

Exploitation context

CISA KEV listing supports known exploitation. The bundle does not identify current campaigns, exploit tooling, or affected third-party software. Exploitation requires a user or application to run or install a specially crafted signed PE file.

Researcher notes

The key issue is signature validation behavior, not a missing signature. Microsoft republished the CVE to clarify supported Windows coverage and registry configuration. Evidence in the bundle supports known exploitation but not current scale, affected malware families, or a universal default fix.

Mitigation direction

  • Review Microsoft MSRC guidance for CVE-2013-3900 and MS13-098.
  • Enable Microsoft’s EnableCertPaddingCheck registry setting where operationally approved.
  • Apply relevant Microsoft security updates where applicable to legacy systems.
  • Reduce local administrator use on Windows endpoints and servers.
  • Control execution of newly introduced signed PE files from untrusted sources.

Validation and detection

  • Inventory Windows versions listed as affected in the MSRC advisory.
  • Verify whether EnableCertPaddingCheck is configured on target systems.
  • Confirm endpoint policy limits untrusted executable installation and execution.
  • Review telemetry for unusual signed PE execution from user-writable locations.
  • Validate least-privilege controls for users who commonly install software.
Prepared
Confidence
high
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-347: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2013-3900 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.8 (3.1)
Known Exploited
Yes
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
4Source links

CISA KEV status

Status
Known exploited
Source
CISA / ADP
Date added
Not provided

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.8CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H2.85.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

8.8High
CVSS 3.1 vector shape for CVE-2013-3900Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
MicrosoftWindows 10 Version 1809N/AListed
MicrosoftWindows 10 Version 1809N/AListed
MicrosoftWindows Server 2019N/AListed
MicrosoftWindows Server 2019 (Server Core installation)N/AListed
MicrosoftWindows Server 2022N/AListed
MicrosoftWindows 11 version 21H2N/AListed
MicrosoftWindows 10 Version 21H2N/AListed
MicrosoftWindows 11 version 22H2N/AListed
MicrosoftWindows 10 Version 22H2N/AListed
MicrosoftWindows Server 2025 (Server Core installation)N/AListed
MicrosoftWindows 11 version 22H3N/AListed
MicrosoftWindows 11 Version 23H2N/AListed
MicrosoftWindows Server 2022, 23H2 Edition (Server Core installation)N/AListed
MicrosoftWindows 11 Version 24H2N/AListed
MicrosoftWindows Server 2025N/AListed
MicrosoftWindows 10 Version 1507N/AListed
MicrosoftWindows 10 Version 1607N/AListed
MicrosoftWindows Server 2016N/AListed
MicrosoftWindows Server 2016 (Server Core installation)N/AListed
MicrosoftWindows Server 2008 Service Pack 2N/AListed
MicrosoftWindows Server 2008 Service Pack 2 (Server Core installation)N/AListed
MicrosoftWindows Server 2008 Service Pack 2N/AListed
MicrosoftWindows Server 2008 R2 Service Pack 1N/AListed
MicrosoftWindows Server 2008 R2 Service Pack 1 (Server Core installation)N/AListed
MicrosoftWindows Server 2012N/AListed
MicrosoftWindows Server 2012 (Server Core installation)N/AListed
MicrosoftWindows Server 2012 R2N/AListed
MicrosoftWindows Server 2012 R2 (Server Core installation)N/AListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-347 · source CWE mapping

Improper Verification of Cryptographic Signature

Improper Verification of Cryptographic Signature represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.