CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."
AnalysisAI
Remote code execution in Microsoft Office 2007-2016 and Windows Vista through 10 allows attackers to execute arbitrary code via malicious RTF or Office documents exploiting Windows API object linking. Confirmed actively exploited (CISA KEV) with EPSS score of 94.33% indicating near-certain real-world exploitation probability. Multiple public exploit codes available including weaponized RTF generators. Despite local attack vector classification (AV:L), exploitation occurs remotely through email/web delivery of crafted documents requiring only user interaction to open the file.
Technical ContextAI
This vulnerability exploits the Windows Object Linking and Embedding (OLE) mechanism, specifically the HTA (HTML Application) handler invoked when Office applications process specially crafted RTF or Office documents. Affected products span Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, and 2016, as well as WordPad on Windows Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1, Server 2008 R2 SP1, and Server 2012. The CPE data reveals extended impact including Philips IntelliSpace Portal 7.0 medical imaging software. The attack leverages improper validation of embedded objects, allowing remote content retrieval and execution through the Windows API without triggering standard macro security warnings. The CVSS vector classification of AV:L appears inconsistent with exploitation methodology which involves remote delivery of malicious documents, suggesting the local vector refers to code execution context rather than attack delivery method.
RemediationAI
Apply vendor-released security updates immediately from Microsoft Security Update Guide (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199). Microsoft released patches in April 2017 addressing all affected Office and Windows versions. For systems unable to patch immediately, implement compensating controls: disable the Windows HTA handler by modifying registry key HKEY_CLASSES_ROOT\htafile\Shell\Open\Command (note: breaks legitimate HTA applications used by IT departments). Configure Office Trust Center to block activation of all OLE packages and embedded objects via Group Policy setting 'Packager Activation' to 'Enabled: Prompt User' or 'Enabled: Disable' (trade-off: may break legitimate documents with embedded objects). Deploy email gateway filtering to block RTF attachments and Office documents with embedded OLE objects from external sources (side effect: blocks some legitimate business documents). For Philips IntelliSpace Portal 7.0 users, consult https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02 for medical device-specific guidance. Given active exploitation status, prioritize patching over workarounds.
More from same product – last 7 days
Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous fil
Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft mal
Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-
Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authenti
Privilege escalation in Microsoft Entra ID enables remote unauthenticated attackers to bypass origin validation and gain
Share
External POC / Exploit Code
Leaving vuln.today