CVE-2015-1770
published 2015-06-10CVE-2015-1770: Microsoft Office 2013 SP1 and 2013 RT SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Uninitialized…
PriorityP183high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
35.10%
98.2th percentile
Microsoft Office 2013 SP1 and 2013 RT SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Uninitialized Memory Use Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | office | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
HeapSpray of 0xCC byte with series of 0x08 and 0x41 marker bytes (CVE-2015-1770 ActiveX exploit structure)
- →Look for ActiveX CLSID CDDBCC7C-BE18-4A58-9CBF-D62A012272CE in RTF/Office documents; its presence triggers loading of OSF.DLL and is the activation vector for CVE-2015-1770. ↗
- →The CVE-2015-1770 exploit is embedded in OLE objects within weaponized RTF documents; specifically in activeX39.xml and activeX40.xml inside the word/activex directory of the embedded ZIP. ↗
- →The CVE-2015-1770 exploit ActiveX binary uses a heap spray of 0xCC bytes followed by 0x08/0x41 marker bytes before stage 1 shellcode; scan memory or file content for this pattern in Office ActiveX binaries. ↗
- ·Exploitation of CVE-2015-1770 via the hard-coded ROP gadget addresses and heap spray fails on 64-bit Office installations because msvcr71.dll is not present in the Office15 native add-ons folder on 64-bit systems. ↗
- ·Analysis of the exploitation root cause was ongoing at time of publication; multiple researchers suggested differing vulnerabilities and conclusive attribution of the exact code path was lacking. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Microsoft Office 2013 SP1 Office Document data processing (MS15-059 / Nessus ID 84055)
vuldb·2026-04-22·CVSS 8.8
CVE-2015-1770 [HIGH] Microsoft Office 2013 SP1 Office Document data processing (MS15-059 / Nessus ID 84055)
A vulnerability categorized as critical has been discovered in Microsoft Office 2013 SP1. Affected by this vulnerability is an unknown functionality of the component Office Document Handler. Executing a manipulation can lead to data processing error.
This vulnerability is registered as CVE-2015-1770. It is possible to launch the attack remotely. Furthermore, an exploit is available.
It is best practice to apply a patch to resolve this issue.
GHSA
GHSA-63xg-2ggr-xj5w: Microsoft Office 2013 SP1 and 2013 RT SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Unini
ghsa_unreviewed·2022-05-14
CVE-2015-1770 [HIGH] CWE-824 GHSA-63xg-2ggr-xj5w: Microsoft Office 2013 SP1 and 2013 RT SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Unini
Microsoft Office 2013 SP1 and 2013 RT SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Uninitialized Memory Use Vulnerability."
VulnCheck
Microsoft Office Uninitialized Memory Use Vulnerability
vulncheck·2015·CVSS 8.8
CVE-2015-1770 [HIGH] CWE-19 Microsoft Office Uninitialized Memory Use Vulnerability
Microsoft Office Uninitialized Memory Use Vulnerability
Microsoft Office allows remote attackers to execute arbitrary code via a crafted Office document.
Affected: Microsoft Office
Required Action: Apply updates per vendor instructions.
Exploitation References: https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf; https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/; https://dl.acm.org/doi/pdf/10.1145/3465481.3465758; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-04-18
CISA
Microsoft Office Uninitialized Memory Use Vulnerability
cisa·2022-03-28·CVSS 8.8
CVE-2015-1770 [HIGH] CWE-19 Microsoft Office Uninitialized Memory Use Vulnerability
Vulnerability: Microsoft Office Uninitialized Memory Use Vulnerability
Affected: Microsoft Office
Microsoft Office allows remote attackers to execute arbitrary code via a crafted Office document.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2015-1770
Remediation Due Date: 2022-04-18
No detection rules found.
No public exploits indexed.
Unit42
RTF Exploit Installs Italian RAT: uWarrior
blogs_unit42·2015-08-24·CVSS 8.8
CVE-2012-1856 [HIGH] RTF Exploit Installs Italian RAT: uWarrior
Unit 42 researchers have observed a new Remote Access Tool (RAT) constructed by an unknown actor of Italian origin. This RAT, referred to as uWarrior because of embedded PDB strings, has been previously described by an independent researcher who noted a potentially unknown exploit being used against Microsoft Office.
Initial research into the exploit by Unit 42 indicates that this actor has opted to include multiple exploits. One is CVE-2012-1856, reinvigorated with a novel ROP chain to bypass ASLR and deliver the uWarrior payload. The other appears to be CVE-2015-1770. The malware itself is a fully featured RAT, which uses a compressed, (optionally) encrypted, raw TCP socket and binary message protocol for command and control communications.
During the course of our research, it became
Unit42
RTF Exploit Installs Italian RAT: uWarrior
blogs_unit42·2015-08-24·CVSS 8.8
[HIGH] RTF Exploit Installs Italian RAT: uWarrior
## RTF Exploit Installs Italian RAT: uWarrior
Brandon Levene
Robert Falcone
Tomer Bar
Tom Keigher
Published: August 24, 2015
Malware
Threat Research
Remote Access Tool
UWarrior
Unit 42 researchers have observed a new Remote Access Tool (RAT) constructed by an unknown actor of Italian origin. This RAT, referred to as uWarrior because of embedded PDB strings, has been previously described by an independent researcher who noted a potentially unknown exploit being used against Microsoft Office.
Initial research into the exploit by Unit 42 indicates that this actor has opted to include multiple exploits. One is CVE-2012-1856, reinvigorated with a novel ROP chain to bypass ASLR and deliver the uWarrior payload. The other appears to be CVE-2015-1770. The malware itself is a fully feat
Talos
Microsoft Patch Tuesday - June 2015
blogs_talos·2015-06-09·CVSS 9.3
[CRITICAL] Microsoft Patch Tuesday - June 2015
## Microsoft Patch Tuesday - June 2015
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 8 bulletins being released which address 45 CVE. Two of the bulletins are listed as Critical and address vulnerabilities in Internet Explorer and Windows Media Player. The remaining six bulletins are marked as Important and address vulnerabilities in Microsoft Office, Windows Kernel, Active Directory, Microsoft Exchange Server, and Microsoft Common Controls.
## Bulletins Rated Critical MS15-056 and MS15-057 are rated Critical.
MS15-056 is this month’s Internet Explorer security bulletin with vulnerabilities in versions 6 through 11 being addressed. This month 24 CVE were addre
Talos
Microsoft Patch Tuesday - June 2015
blogs_talos·2015-06-09·CVSS 9.3
[CRITICAL] Microsoft Patch Tuesday - June 2015
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 8 bulletins being released which address 45 CVE. Two of the bulletins are listed as Critical and address vulnerabilities in Internet Explorer and Windows Media Player. The remaining six bulletins are marked as Important and address vulnerabilities in Microsoft Office, Windows Kernel, Active Directory, Microsoft Exchange Server, and Microsoft Common Controls.
## Bulletins Rated CriticalMS15-056 and MS15-057 are rated Critical.
MS15-056 is this month’s Internet Explorer security bulletin with vulnerabilities in versions 6 through 11 being addressed. This month 24 CVE were addressed. The majority of those CVE were memo
Crowdstrike
Arrests Put New Focus on CARBON SPIDER Adversary Group
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Arrests Put New Focus on CARBON SPIDER Adversary Group
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Zscaler
Zscaler detects IE & MS Office Vulnerabilities | 06-09-2015
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler detects IE & MS Office Vulnerabilities | 06-09-2015
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://www.securityfocus.com/bid/75016http://www.securitytracker.com/id/1032523https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-059http://www.securityfocus.com/bid/75016http://www.securitytracker.com/id/1032523https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-059https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-1770
2015-06-10
Published
2022-03-28
Added to CISA KEV
Exploited in the wild