cbcvebase.
CVE-2006-2389
published 2006-07-11

CVE-2006-2389: Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute…

PriorityP352critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
38.84%
98.4th percentile
Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via an Office file with a malformed property that triggers memory corruption related to record lengths, aka "Microsoft Office Property Vulnerability," a different vulnerability than CVE-2006-1316.

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftoffice
microsoftoffice
microsoftoffice

Detection & IOCsextracted from sources · hover to see the quote

bytes
\x78\x9C (zlib-compressed malicious Office file payload)
  • The exploit embeds a zlib-compressed (magic bytes 0x78 0x9C) malicious Office file payload. Scanning for zlib-compressed streams inside Office documents that contain shellcode patterns (e.g., WinExec + ExitProcess stub) is a strong indicator of exploitation.
  • The shellcode is an 'Allwin WinExec cmd.exe + ExitProcess' stub (195 bytes). Detection should look for this shellcode pattern beginning with \xFC\x33\xD2\xB2\x30\x64\xFF\x32 inside Office document streams.
  • The vulnerability is triggered by a malformed property record length in an Office file. Anomalous or oversized property record lengths in OLE compound document streams (e.g., .doc, .xls, .ppt) should be flagged for CVE-2006-2389.
  • The exploit targets Microsoft Office 2003 on Windows XP SP2. Process monitoring for cmd.exe spawned as a child of WINWORD.EXE, EXCEL.EXE, or POWERPNT.EXE is a strong post-exploitation indicator.
  • ·The exploit is user-assisted; the victim must open a specially crafted Office file. This limits automated delivery but makes phishing/email-attachment vectors the primary attack surface.
  • ·CVE-2006-2389 is a distinct vulnerability from CVE-2006-1316, though both involve malformed Office properties. Detection rules should not conflate the two.
  • ·Affected products span a wide range: Office 2003 SP1/SP2, Office XP SP3, Office 2000 SP3, and other products. Detection/patching scope should cover all listed versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.