Attacker Value
High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
1

CVE-2022-21840

Disclosure Date: January 11, 2022
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Microsoft Office Remote Code Execution Vulnerability

Add Assessment

1
Ratings
Technical Analysis

Looks like this is your fairly typical maliciously crafted document exploit for Microsoft Office. These bugs are used all the time by APTs and other groups simply cause its relatively easy to convince people to open documents given the right context, and even though some people will be fairly vigilant, all it takes is compromising one user to get an initial foothold into a target network.

This bug appears to affect all Microsoft Office versions since 2013 up to and including the latest Microsoft Office online solutions and also including Microsoft Sharepoint Servers from 2013 onwards, meaning that it has quite a wide range of potential targets. User interaction is required though in the form of opening a malicious document,

Given the supposedly low complexity of exploiting this vulnerability combined with the wide range of target that it can exploit, I’d expect to see exploits for this vulnerability in the wild over the coming few months.

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • excel 2013,
  • excel 2016,
  • office 2013,
  • office 2016,
  • office 2019,
  • office 2021,
  • office online server -,
  • office web apps 2013,
  • sharepoint enterprise server 2013,
  • sharepoint server -,
  • sharepoint server 2013,
  • sharepoint server 2016,
  • sharepoint server 2019

Additional Info

Technical Analysis