Very High
CVE-2023-21716
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(1 user assessed)
Very High
(1 user assessed)Unknown
Unknown
Unknown
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Description
Microsoft Word Remote Code Execution Vulnerability
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
A vulnerability in Microsoft’s Word wwlib allows attackers to get LCE with the privileges of the victim opens a malicious
RTF document. An attacker would be able to deliver this payload in several ways including as an attachment in spear-phishing attacks.
Affected Versions
This vulnerability affects at least the following versions of Microsoft Office:
- Microsoft Office 365 (Insider Preview – 2211 Build 15831.20122 CTR)
- Microsoft Office 2016 (Including Insider Slow – 1704 Build 8067.2032 CTR)
- Microsoft Office 2013
- Microsoft Office 2010
- Microsoft Office 2007
Acknowledgement
This issue was discovered, analyzed, and reported by Joshua J. Drake (@jduck).
PoC code from @jduck:
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
Vendors
- Microsoft
Products
- Microsoft Office,
- Microsoft SharePoint Server Subscription Edition,
- Microsoft 365 Apps for Enterprise,
- SharePoint Server Subscription Edition Language Pack,
- Microsoft Office Online Server,
- Microsoft SharePoint Enterprise Server 2016,
- Microsoft SharePoint Enterprise Server 2013 Service Pack 1,
- Microsoft SharePoint Server 2019,
- Microsoft Word,
- Microsoft Office Web Apps Server,
- Microsoft SharePoint Foundation 2013 Service Pack 1
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
There’s user interaction required here, right?
Yes, in case the exploit code is hidden as an attachment, the user should open that attachment.
arevulnerable too
Note that, even if user interaction is required, it can be minimal. According to Microsoft, the Preview Pane is also an attack vector, which means the user doesn’t need to open the file. Loading the RTF document in the Preview Pane should also trigger the vulnerability.