← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:166555 · CWE-347 · Disclosed 2013-12-10

WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a forged backstage pass, not a door kicked in from the internet

CVE-2013-3900 is an Authenticode trust-validation flaw in WinVerifyTrust: a PE file can be modified after signing by abusing unverified padding in the WIN_CERTIFICATE structure, yet still appear signed to Windows trust checks. Tenable plugin 166555 is not finding a missing classic patch on a single app; it is checking whether the OS-wide opt-in mitigation EnableCertPaddingCheck is absent or misconfigured under HKLM\Software\Microsoft\Cryptography\Wintrust\Config and, on 64-bit systems, HKLM\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config. Microsoft originally shipped the underlying code with MS13-098 in December 2013 and later clarified that supported Windows 10 and Windows 11 already contain the logic, but the stricter behavior still must be enabled by registry setting.

Tenable labeling this HIGH overstates what defenders are actually dealing with on a 10,000-host estate. This is not an unauthenticated remote service bug you can spray across the network; exploitation requires a trojanized signed PE to be delivered and then executed on a host missing the opt-in check. That said, it is also not ignorable defense-in-depth trivia: it is KEV-listed and has been used in real supply-chain tradecraft, including 3CX-related SIGFlip abuse, so the right read is downgrade the severity bucket to MEDIUM, but upgrade the operational urgency because of exploitation evidence.

"Treat this as active supply-chain hardening, not a network RCE on your estate."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Prepare a signed-but-tampered PE

The attacker takes a legitimately signed Windows PE and modifies unverified certificate padding so malicious content survives signature checks on systems without strict validation. Public tooling such as SIGFlip has been cited by Mandiant in 3CX tradecraft, and multiple public PoCs exist demonstrating the technique for CVE-2013-3900.
Conditions required:
  • Attacker can obtain or reuse a signed PE file
  • Attacker can alter the PE while preserving apparent trust on non-hardened hosts
Where this breaks in practice:
  • This is a file-prep stage, not direct network exploitation
  • Creating a useful payload still requires delivery and execution
  • Modern reputation services and AV may still flag the resulting file even if trust checks are bypassed
Detection/coverage: No network scanner sees this prep stage. Detection depends on malware analysis, code-signing validation, and EDR/AV inspection of the delivered file.
STEP 02

Deliver through a trust-heavy channel

The attacker then pushes the crafted file through phishing, software distribution, or supply-chain channels where a valid-looking signature increases the chance of execution. This is where the bug matters in practice: it helps the payload look more trustworthy than it should.
Conditions required:
  • Victim receives the PE via email, web download, software update, or internal distribution
  • The organization relies on signature trust during user or admin decision-making
Where this breaks in practice:
  • Email gateways, web filters, sandboxing, and app reputation can stop delivery
  • Not every environment allows unsigned or newly downloaded executables to run
  • The attacker still needs a believable lure or compromised software channel
Detection/coverage: Secure email gateways, browser isolation, proxy malware inspection, and sandbox detonations can catch this phase. Nessus/Tenable does not validate this path; plugin 166555 only checks registry hardening state.
STEP 03

Abuse weak trust validation on the endpoint

On a host where EnableCertPaddingCheck is missing, disabled, or set incorrectly, Windows trust validation may treat the tampered PE as signed. That weakens downstream controls and operator judgment that depend on Authenticode trust.
Conditions required:
  • Endpoint lacks the EnableCertPaddingCheck mitigation in both relevant registry views
  • A process, user, installer, or control path actually invokes WinVerifyTrust semantics
Where this breaks in practice:
  • If the registry setting is enabled, this specific bypass fails
  • Some environments rely on WDAC, AppLocker, SmartScreen, or EDR policy layers that can still block execution
  • A subset of security controls do not trust Authenticode alone
Detection/coverage: This phase is detectable only with host-based assessment. Tenable plugin 166555 is a Type: Local check and requires agent or credentialed host access.
STEP 04

Execute with user-context impact

If the PE runs, malicious code executes with the rights of the launching user or service, after which the attacker can chain privilege escalation or lateral movement. The CVE's theoretical impact is high, but in real estates the blast radius starts at one executed file on one endpoint, not instant network-wide compromise.
Conditions required:
  • User or service executes the PE
  • No downstream EDR/ASR/App Control block triggers
Where this breaks in practice:
  • User interaction is usually required
  • Impact is initially bounded to the executing context
  • Follow-on persistence or privilege escalation is a separate step, not guaranteed by this CVE alone
Detection/coverage: EDR should see suspicious process lineage, DLL loads, persistence, and post-execution behavior. The CVE itself is poor as a stand-alone detection signal; behavior after launch is where defenders usually win.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusYes. CVE-2013-3900 is in CISA KEV, and Mandiant documented 3CX tradecraft using SIGFlip to leverage the flaw; Cybereason later tied the technique to NOOPDOOR investigations.
KEV statusKEV-listed on 2022-01-10 with CISA due date 2022-07-10.
Public PoC / weaponizationPublic technique and PoC availability is not theoretical: Mandiant explicitly referenced SIGFlip, and public GitHub PoCs/remediation repos exist for CVE-2013-3900.
EPSSTenable currently shows EPSS 0.76161 (roughly 99th percentile), which matches the fact that attackers have repeatedly reused this trust-bypass pattern.
CVSS splitThere is a major scoring split: Microsoft CNA = 5.5 MEDIUM (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) vs NVD = 8.8 HIGH (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). For enterprise prioritization, Microsoft's lower score better matches the real attacker path because execution is the gating step.
Affected versionsOriginally affected a broad set of Windows releases in MS13-098; Microsoft later republished guidance stating the supporting logic is present on all currently supported Windows 10 and Windows 11 as an opt-in setting.
Fixed / mitigated stateFor modern supported Windows, there is often no separate patch to wait for. The effective remediation is enabling EnableCertPaddingCheck; on legacy platforms the underlying support came via MS13-098 / Security Advisory 2915720 guidance.
Scanner / exposure realityThis is not internet-enumerable like an exposed web panel. Plugin 166555 is a local Windows registry check, so Shodan/Censys/FOFA-style exposure counts are not meaningful here.
Disclosure timelineOriginal Microsoft bulletin date: 2013-12-10; NVD publish date: 2013-12-11; Microsoft later republished guidance to clarify Windows 10/11 applicability and registry configuration.
Research / reportingPrimary authoritative sources are Microsoft MSRC / MS13-098 / Advisory 2915720. Real-world campaign context comes from Mandiant and Cybereason.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (6.4/10)

The decisive friction is that this finding requires malicious file delivery and execution on the endpoint, not unauthenticated network reachability into a service. The severity stays above LOW because the affected population is huge and exploitation evidence is real, but the blast radius starts only after a prior delivery stage succeeds.

HIGH Technical description and mitigation mechanics
HIGH KEV-listed / real-world exploitation status
MEDIUM Reassessed severity relative to Tenable's HIGH label

Why this verdict

  • Downgrade from scanner HIGH: plugin 166555 is checking for a missing opt-in registry hardening control, not an internet-facing service bug that can be hit cold from outside.
  • Attacker position matters: exploitation requires a prior delivery channel plus execution of a crafted PE, which means phishing, software distribution abuse, or supply-chain compromise has to happen first.
  • Population amplifier: almost every Windows estate has the relevant trust surface, so once attackers are in the file-delivery lane this bypass is broadly reusable.
  • Exploit evidence keeps it elevated: KEV listing and documented SIGFlip / 3CX-style abuse show attackers do use this, so this is not academic-only risk.
  • Modern controls should intercept multiple steps: email security, SmartScreen, WDAC/AppLocker, EDR, and reputation services all add real friction before and after the trust bypass.

Why not higher?

This is not a wormable or directly reachable RCE against a listening enterprise service. The attacker must first get a crafted PE onto the endpoint and have it executed, which compounds downward pressure on severity because it assumes an earlier compromise or delivery success. Even then, impact begins in the launching user's context and often depends on follow-on steps.

Why not lower?

Dropping this to LOW would ignore that CISA KEV and multiple campaign reports show the flaw has operational value to attackers. The sheer breadth of Windows deployment and the role of code-signing trust in software delivery means the bypass is a meaningful amplifier for phishing and supply-chain operations.

05 · Compensating Control

What to do — in priority order.

  1. Enable EnableCertPaddingCheck everywhere — Push the registry setting to both native and Wow6432Node paths across all supported Windows endpoints and servers. Because this CVE is KEV-listed, treat the deadline as immediately, within hours, not a normal MEDIUM cycle.
  2. Force software-distribution trust checks — Re-validate internal package repositories, deployment shares, golden images, and installer pipelines so code-signing is not the only gate. Prioritize externally sourced installers and remote-management tooling first, and complete the policy update within hours due to active exploitation history.
  3. Tighten application control — Use WDAC, AppLocker, ASR, or equivalent allow-listing/reputation controls so a PE that merely *looks* signed is not enough to execute freely. For estates without mature app control, at minimum enforce publisher/path rules on high-risk admin tiers within hours as a compensating move.
  4. Hunt for recently delivered signed binaries — Query EDR for recently downloaded or newly executed signed EXEs/DLLs from email, browsers, temp folders, and software updaters. Do the hunt within hours on admin workstations, VDI pools, and software-packaging systems where this bypass has the highest payoff.
What doesn't work
  • Relying on perimeter scanning: this is a host configuration state, so external attack-surface tools will not tell you whether the mitigation is enabled.
  • Assuming Windows Update alone fixes it on modern builds: Microsoft states supported Windows 10/11 contain the code, but the registry key still must be set.
  • Treating Authenticode trust as a sufficient allow condition: the whole point of this CVE is that a tampered PE can still look signed without strict padding validation.
06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host or through your EDR/RMM as a local script. Invoke with powershell.exe -ExecutionPolicy Bypass -File .\Test-CVE-2013-3900.ps1; standard user rights can usually read the keys, but local admin is safer for remote orchestration and consistent 64-bit registry access.

noisgate-verify.ps1
POWERSHELLREAD-ONLYSAFE
# Test-CVE-2013-3900.ps1

# Checks whether EnableCertPaddingCheck is configured for CVE-2013-3900 mitigation.

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


[CmdletBinding()]
param()

Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop'

function Get-RegistryValue64 {
    param(
        [Parameter(Mandatory=$true)][string]$SubKey,
        [Parameter(Mandatory=$true)][string]$ValueName,
        [Parameter(Mandatory=$true)][Microsoft.Win32.RegistryView]$View
    )

    try {
        $base = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, $View)
        $key = $base.OpenSubKey($SubKey, $false)
        if ($null -eq $key) { return $null }
        return $key.GetValue($ValueName, $null, 'DoNotExpandEnvironmentNames')
    }
    catch {
        return $null
    }
}

function Test-EnabledValue {
    param([object]$Value)

    if ($null -eq $Value) { return $false }

    if ($Value -is [int] -or $Value -is [long] -or $Value -is [uint32]) {
        return ([int64]$Value -eq 1)
    }

    $s = $Value.ToString().Trim()
    return ($s -eq '1')
}

try {
    $os64 = [Environment]::Is64BitOperatingSystem
    $nativeSubKey = 'SOFTWARE\Microsoft\Cryptography\Wintrust\Config'
    $wowSubKey    = 'SOFTWARE\Wow6432Node\Microsoft\Cryptography\Wintrust\Config'
    $name         = 'EnableCertPaddingCheck'

    $native = Get-RegistryValue64 -SubKey $nativeSubKey -ValueName $name -View ([Microsoft.Win32.RegistryView]::Registry64)
    $nativeOk = Test-EnabledValue -Value $native

    if (-not $os64) {
        if ($nativeOk) {
            Write-Output 'PATCHED'
            exit 0
        } else {
            Write-Output 'VULNERABLE'
            exit 1
        }
    }

    $wow = Get-RegistryValue64 -SubKey $wowSubKey -ValueName $name -View ([Microsoft.Win32.RegistryView]::Registry64)
    $wowOk = Test-EnabledValue -Value $wow

    if ($nativeOk -and $wowOk) {
        Write-Output 'PATCHED'
        exit 0
    }
    elseif ((-not $nativeOk) -or (-not $wowOk)) {
        Write-Output 'VULNERABLE'
        exit 1
    }
    else {
        Write-Output 'UNKNOWN'
        exit 2
    }
}
catch {
    Write-Output 'UNKNOWN'
    exit 2
}
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: stop treating Tenable 166555 like a classic network HIGH and treat it like KEV-backed endpoint hardening with immediate operational priority. Because this CVE is KEV-listed, override the normal MEDIUM timing and meet the noisgate mitigation SLA by pushing EnableCertPaddingCheck immediately, within hours to all supported Windows endpoints and servers, then verify at scale with a host-based check; there is no separate patch you should wait on for modern Windows, so do not hide behind the noisgate remediation SLA 365-day outer bound—close the configuration gap in the same campaign and document any compatibility exceptions explicitly.

Sources

  1. Tenable plugin 166555
  2. Microsoft Security Bulletin MS13-098
  3. Microsoft Security Advisory 2915720
  4. NVD CVE-2013-3900
  5. CISA Known Exploited Vulnerabilities entry
  6. Mandiant on 3CX and SIGFlip
  7. Cybereason NOOPDOOR analysis
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.