Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0261 and CVE-2017-0281.
AnalysisAI
Remote code execution in Microsoft Office 2010 SP2, 2013 SP1, and 2016 allows attackers to execute arbitrary code via maliciously crafted documents that trigger memory corruption when opened by victims. CISA KEV confirms active exploitation in the wild, with EPSS score of 64.26% (98th percentile) indicating very high real-world exploitation probability. Microsoft released patches in May 2017 security updates, making unpatched systems a critical priority for remediation.
Technical ContextAI
This vulnerability stems from improper memory handling when Microsoft Office processes document objects. The affected products (Office 2010 SP2, 2013 SP1, and 2016 per CPE data) fail to correctly validate or sanitize object structures during document parsing, leading to memory corruption conditions exploitable for arbitrary code execution. While no specific CWE classification is provided, the description points to a classic memory safety issue in Office's document processing engine. The local attack vector (AV:L) combined with required user interaction (UI:R) indicates exploitation requires victim interaction with attacker-supplied files, typically Office documents delivered via email, web download, or removable media. The vulnerability affects the core Office suite rather than a specific application component, impacting Word, Excel, PowerPoint, and potentially other Office applications sharing the vulnerable memory handling code.
RemediationAI
Apply Microsoft's May 2017 security updates immediately for all affected Office installations per the vendor advisory at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262. Organizations should prioritize patch deployment based on CISA KEV listing and active exploitation status. For systems where immediate patching is infeasible, implement compensating controls: enable Office Protected View to sandbox untrusted documents from internet, email, and potentially unsafe locations (Settings > Trust Center > Protected View); configure Group Policy to block execution of Office macros from internet sources; deploy application whitelisting to prevent unauthorized code execution; implement email gateway scanning to quarantine suspicious Office attachments. Note that Protected View provides defense-in-depth but may impact usability for legitimate external documents. For air-gapped or legacy systems unable to patch, consider migrating critical workflows to Office 2019 or Microsoft 365 Apps with modern exploit mitigations, though migration introduces operational overhead and compatibility testing requirements.
Share
External POC / Exploit Code
Leaving vuln.today