Is CVE-2017-0037 known to be exploited?

Yes. CVE-2017-0037 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-03-28), indicating it is being actively exploited. 17 public proof-of-concept repositories are indexed.

Vulnerability in Microsoft Corporation Internet Browser

CVE-2017-0037

Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function in mshtml.dll, which allows remote attackers to execute arbitrary…

EPSS: 0.891 (99.5th percentile) — read the EPSS interpretation.

Affected products

Microsoft Corporation Internet Browser — versions Internet Explorer 10 and 11 and Edge

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2022-03-28. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2022-04-18.

Required action: Apply updates per vendor instructions.

Public proof-of-concept exploits

References

bugs.chromium.org/p/project-zero/issues/detail (x_refsource_MISC)
0patch.blogspot.si/2017/03/0patching-another-0-day-internet.html (x_refsource_MISC)
96088 (vdb-entry, x_refsource_BID)
41454 (exploit, x_refsource_EXPLOIT-DB)
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0037 (x_refsource_CONFIRM)
43125 (exploit, x_refsource_EXPLOIT-DB)
1037905 (vdb-entry, x_refsource_SECTRACK)
42354 (exploit, x_refsource_EXPLOIT-DB)
1037906 (vdb-entry, x_refsource_SECTRACK)

Frequently asked questions

What is CVE-2017-0037?: CVE-2017-0037 is a vulnerability in Microsoft Corporation Internet Browser. Published 2017-02-26.
Is CVE-2017-0037 known to be exploited?: Yes. CVE-2017-0037 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-03-28), indicating it is being actively exploited. 17 public proof-of-concept repositories are indexed.