PatchSiren cyber security CVE debrief
CVE-2013-0074 Microsoft CVE debrief
CVE-2013-0074 is a Microsoft Silverlight double dereference vulnerability that CISA has included in its Known Exploited Vulnerabilities catalog. The KEV entry notes known ransomware campaign use and states that the impacted product is end-of-life and should be disconnected if still in use. For defenders, the main takeaway is not routine patching but identifying any remaining Silverlight exposure and removing or isolating it.
- Vendor
- Microsoft
- Product
- Silverlight
- CVSS
- Unknown
- CISA KEV
- Listed
- Original CVE published
- 2022-05-25
- Original CVE updated
- 2022-05-25
- Advisory published
- 2022-05-25
- Advisory updated
- 2022-05-25
Who should care
Security teams, endpoint and application owners, and IT administrators should care if any legacy business applications, kiosks, or internal tools still depend on Microsoft Silverlight. Incident response and vulnerability management teams should treat this as a high-priority legacy exposure because it is in CISA KEV and marked with known ransomware campaign use.
Technical summary
The supplied sources identify the issue as a Microsoft Silverlight double dereference vulnerability. The source corpus does not provide a deeper technical breakdown, severity score, or exploitation mechanics, but it does establish that the vulnerability is tracked by CISA as known exploited and associated with known ransomware campaign use. The KEV record also says the affected product is end-of-life, which changes the remediation approach from patch management to removal, isolation, or disconnection where applicable.
Defensive priority
High. CISA lists this CVE in KEV and marks it as having known ransomware campaign use. Because the impacted product is end-of-life, organizations should prioritize finding any remaining Silverlight deployments and removing or disconnecting them rather than assuming a patch-based fix is available.
Recommended defensive actions
- Inventory all systems, browsers, and legacy applications for any remaining Microsoft Silverlight dependency.
- Remove, replace, or retire Silverlight-based applications where possible.
- If Silverlight must remain temporarily, isolate the affected systems and restrict access as much as possible.
- Disconnect the impacted product if it is still in use, consistent with the CISA KEV note.
- Confirm vulnerability management and asset inventories reflect the KEV status so the exposure is tracked as a high-priority legacy risk.
Evidence notes
Evidence is limited to the supplied official sources: the CISA Known Exploited Vulnerabilities entry, the CVE record, and the NVD detail page. The CISA source explicitly labels the vulnerability as known exploited, notes known ransomware campaign use, and states that the impacted product is end-of-life and should be disconnected if still in use. The corpus does not include CVSS, exploit details, or a broader technical impact statement, so this debrief avoids unsupported claims.
Official resources
-
CVE-2013-0074 CVE record
CVE.org
-
CVE-2013-0074 NVD detail
NVD
-
CISA Known Exploited Vulnerabilities catalog
CISA - The impacted product is end-of-life and should be disconnected if still in use.
-
Source item URL
cisa_kev
This debrief is based only on the provided source corpus and official links. It reflects the KEV listing date in the supplied timeline data (2022-05-25) and does not assert the original discovery or issue date of the vulnerability.