CVE-2010-0249

Microsoft Internet Explorer Use-After-Free Vulnerability (CVE-2010-0249)

Initial Access Execution Defense Evasion Last updated:

CVE-2010-0249 is a use-after-free vulnerability (CWE-416) in Microsoft Internet Explorer that allows remote attackers to execute arbitrary code via a specially crafted web page. This vulnerability was actively exploited in the wild (Operation Aurora) and is listed in CISA's Known Exploited Vulnerabilities catalog. Exploitation typically involves a malicious HTML/JavaScript page that triggers memory corruption through manipulated DOM objects, enabling arbitrary code execution in the context of the logged-on user.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Microsoft
Product
Internet Explorer

Weakness (CWE)

CWE-416

Timeline

Disclosed
May 20, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2010-0249 Microsoft Internet Explorer Use-After-Free Vulnerability (CVE-2010-0249)?

Microsoft Internet Explorer Use-After-Free Vulnerability (CVE-2010-0249) (CVE-2010-0249) maps to the Initial Access and Execution and Defense Evasion tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Microsoft Internet Explorer Use-After-Free Vulnerability (CVE-2010-0249), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceProcessEvents, DeviceNetworkEvents. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Defense Evasion
Microsoft Sentinel / Defender
kusto 
let suspiciousIEProcesses = DeviceProcessEvents
| where FileName =~ "iexplore.exe"
| where InitiatingProcessFileName !in~ ("iexplore.exe", "explorer.exe", "svchost.exe")
| project DeviceId, DeviceName, AccountName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, Timestamp;
let iexploreChildSpawn = DeviceProcessEvents
| where InitiatingProcessFileName =~ "iexplore.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "svchost.exe")
| project DeviceId, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessId, InitiatingProcessCommandLine, Timestamp;
let iexploreNetworkToSuspicious = DeviceNetworkEvents
| where InitiatingProcessFileName =~ "iexplore.exe"
| where RemotePort !in (80, 443, 8080, 8443)
| project DeviceId, DeviceName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessCommandLine, Timestamp;
union iexploreChildSpawn, iexploreNetworkToSuspicious
| sort by Timestamp desc

Detects suspicious Internet Explorer process behavior consistent with CVE-2010-0249 exploitation: child process spawning from iexplore.exe and anomalous outbound network connections from the browser process.

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel DeviceProcessEvents DeviceNetworkEvents

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

  • Legitimate browser helper objects or extensions that spawn child processes
  • Enterprise proxy or DLP tools that intercept IE network traffic on non-standard ports
  • Automated testing frameworks that drive Internet Explorer via COM automation
  • IT management tools that launch iexplore.exe programmatically for intranet portals

Sigma rule & cross-platform mapping

The detection logic for Microsoft Internet Explorer Use-After-Free Vulnerability (CVE-2010-0249) (CVE-2010-0249) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2010-0249 Sigma rules on detection.fyi

Platform-specific guides for CVE-2010-0249

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (2)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate IE Use-After-Free Child Process Spawn

    Expected signal: Sysmon Event ID 1 showing cmd.exe with ParentImage pointing to iexplore.exe; file creation event for cve_2010_0249_test.txt in %TEMP%

  2. Test 2IE Spawning PowerShell Downloader (Post-Exploit Simulation)

    Expected signal: Sysmon Event ID 1 with ParentImage iexplore.exe and Image powershell.exe; command line containing -NonInteractive visible in process telemetry

  3. Test 3Anomalous IE Network Beacon on Non-Standard Port

    Expected signal: Sysmon Event ID 3 network connection event with InitiatingProcessFileName iexplore.exe and DestinationPort 4444; connection attempt logged even on failure

Unlock Pro Content

Get the full detection package for CVE-2010-0249 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0005Defense Evasion

Related Techniques

T1203Exploitation for Client ExecutionT1189Drive-by CompromiseT1055Process Injection

Same Tactic: Initial Access

Popular Detections