Home Microsoft CVE-2011-1889
CRITICAL: THIS VULNERABILITY IS ACTIVELY BEING EXPLOITED IN THE WILD (CISA KEV CATALOG)
Back to Microsoft

CVE-2011-1889

Exploited

Microsoft Forefront Threat Management Gateway (TMG) 2010 - NSPLookupServiceNext function

Microsoft CVSS 9.8 Updated April 30, 2026

Executive Risk Summary

"The TMG Firewall Client Memory Corruption Vulnerability allows remote attackers to execute arbitrary code via vectors involving unspecified requests. This vulnerability can be exploited to gain unauthorized access to the system, potentially leading to data breaches and system compromise."

Anticipated Attack Path

  1. 1. Initial Exploitation: Attacker sends malicious request to the NSPLookupServiceNext function
  2. 2. Privilege Escalation: Arbitrary code execution allows attacker to gain elevated privileges
  3. 3. Lateral Movement: Attacker uses compromised system to move laterally within the network

Am I Vulnerable?

  • Verify the presence of the NSPLookupServiceNext function in the TMG client
  • Check for any suspicious network activity related to the TMG client
  • Apply the MS11-040 patch to mitigate the vulnerability

Operational Audit Arsenal

Target Type Windows Service
Target Asset NSPLookupServiceNext
Standard Path Microsoft Forefront Threat Management Gateway (TMG) 2010 client
PowerShell 
# 🛠️ Senior Engineer Universal Audit
# Target: NSPLookupServiceNext (Windows Service)
$Targets = 'NSPLookupServiceNext'
$SearchPaths = @("$env:windir\System32", "$env:ProgramFiles", "${env:ProgramFiles(x86)}")

Get-ChildItem -Path $SearchPaths -Include $Targets -Recurse -ErrorAction SilentlyContinue | 
Select-Object FullName, @{Name="Version";Expression={$_.VersionInfo.ProductVersion}}

Patch Impact Forecast

Reboot Required Likely

Potential disruption to network traffic and system availability during patch application

Internal Work Notes

Apply MS11-040 patch to mitigate TMG Firewall Client Memory Corruption Vulnerability (CVE-2011-1889) and prevent arbitrary code execution

Technical Intelligence & Operational Utilities • Delivered Weekly

Intelligence Sources

Official Advisoryhttp://secunia.com/advisories/44857
Official Advisoryhttp://www.securityfocus.com/bid/48181
Official Advisoryhttp://www.securitytracker.com/id?1025637
MSRC Advisoryhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-040
Official Advisoryhttps://exchange.xforce.ibmcloud.com/vulnerabilities/67736
Official Advisoryhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12642
Official Advisoryhttp://secunia.com/advisories/44857
Official Advisoryhttp://www.securityfocus.com/bid/48181
Official Advisoryhttp://www.securitytracker.com/id?1025637
MSRC Advisoryhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-040
Official Advisoryhttps://exchange.xforce.ibmcloud.com/vulnerabilities/67736
Official Advisoryhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12642
Official Advisoryhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2011-1889

Related Microsoft Threats

CVE-2026-42901 CVSS 10

Microsoft Entra ID
CVE-2025-65041 CVSS 10

Microsoft Partner Center
CVE-2026-31957 CVSS 10

Microsoft Azure Entra ID and Intune - Himmelblau
Data compiled from NVD, MSRC, and CISA KEV Catalog. Intelligence synthesized via AI. Scripts provided for diagnostic purposes under MIT License.