An XML external entity (XXE) injection vulnerability has been reported in the System Information Console component of Microsoft Windows. The vulnerability is due to a failure to properly handle external entity references in XML files.

A remote attacker could exploit this vulnerability by enticing a target user into opening a crafted XML file with System Information Console. Successful exploitation results in the disclosure of file contents from the target system.

The vendor, Microsoft, has released the following advisory regarding this vulnerability:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8557

• Microsoft Windows 10
• Microsoft Windows 7
• Microsoft Windows 8.1
• Microsoft Windows RT 8.1
• Microsoft Windows Server 2008
• Microsoft Windows Server 2008 R2
• Microsoft Windows Server 2012
• Microsoft Windows Server 2012 R2
• Microsoft Windows Server 2016

• Access vector is NETWORK
• Access complexity is MEDIUM
• Level of authentication required is NONE
• Impact of this vulnerability on data confidentiality is COMPLETE
• Impact of this vulnerability on data integrity is NONE
• Impact of this vulnerability on data availability is NONE

• The exploitability level of this vulnerability is UNPROVEN
• The remediation level of this vulnerability is OFFICIAL FIX
• The report confidence level of this vulnerability is CONFIRMED