Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-618 (暴露的不安全ActiveX方法) — Vulnerability Class 1

1 vulnerabilities classified as CWE-618 (暴露的不安全ActiveX方法). AI Chinese analysis included.

CWE-618 represents a critical exposure weakness where ActiveX controls, designed for web browsers, inadvertently reveal dangerous methods that bypass standard browser security models like zone or domain restrictions. Attackers typically exploit this vulnerability by crafting malicious web pages that trigger these exposed methods, allowing the control to execute privileged actions with far greater operating system control than standard JavaScript or Java applets. This often leads to unauthorized file system access, registry modifications, or arbitrary code execution. To mitigate this risk, developers must rigorously audit ActiveX components to ensure no sensitive functionality is exposed to the web environment. Implementing strict interface segregation, removing unnecessary methods, and adhering to the principle of least privilege are essential strategies. Additionally, using modern web standards that do not rely on ActiveX technology provides a more secure alternative, effectively eliminating the attack surface associated with these legacy controls.

MITRE CWE Description
An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain). ActiveX controls can exercise far greater control over the operating system than typical Java or javascript. Exposed methods can be subject to various vulnerabilities, depending on the implemented behaviors of those methods, and whether input validation is performed on the provided arguments. If there is no integrity checking or origin validation, this method could be invoked by attackers.
Common Consequences (1)
OtherOther
Mitigations (3)
ImplementationIf you must expose a method, make sure to perform input validation on all arguments, and protect against all possible vulnerabilities.
Architecture and DesignUse code signing, although this does not protect against any weaknesses that are already in the control.
Architecture and Design, System ConfigurationWhere possible, avoid marking the control as safe for scripting.
CVE IDTitleCVSSSeverityPublished
CVE-2025-0118 GlobalProtect App: Execution of Unsafe ActiveX Control Vulnerability — GlobalProtect App 8.8 -2025-03-12

Vulnerabilities classified as CWE-618 (暴露的不安全ActiveX方法) represent 1 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.