cbcvebase.
CVE-2015-2469
published 2015-08-15

CVE-2015-2469: Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, and Office for Mac 2011 allow remote attackers to execute arbitrary code via a crafted document, aka…

PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
26.86%
97.8th percentile
Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, and Office for Mac 2011 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability."

Affected

5 ranges
VendorProductVersion rangeFixed in
apachenifi
microsoftoffice
microsoftoffice
microsoftword
microsoftword

Detection & IOCsextracted from sources · hover to see the quote

filename1981563878_min.doc
filename1981563878_crash.doc
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37910.zip
processwwlib.dll version 12.0.6720.5000
processmso.dll version 12.0.6721.5000
  • Crash occurs in wwlib!FMain+0x67086 when eax (derived from 3rd argument at 0x312ab5e7) points to a heap allocation of size 0xa8, and offsets +0xAC, +0xB0, +0xB4, +0xB8 are pushed, exceeding the allocated size — triggering an out-of-bounds read/write. Monitor for access violations in wwlib.dll at these offsets.
  • The exploitable memory write primitive resides at wwlib!FMain+0x66d93 (0x312ab34a); instructions at 0x312ab356 and 0x312ab358 perform sub/add on attacker-influenced memory. Flag execution reaching these addresses from a Word document parsing context.
  • The vulnerability is triggered via malformed PAPXFKP structures in a .doc (Word Binary Format) file. Specifically, three deltas at file offsets 0x2404, 0x4041, and 0x8057 within stPapxFKPs[23] corrupt rgfc and bOffset fields. Inspect .doc files for anomalous PAPXFKP rgfc/bOffset values.
  • Root cause is assessed as a type confusion vulnerability in wwlib.dll during parsing of Word Binary Document PAPXFKP structures, leading to an out-of-bounds heap read and subsequent memory corruption write. Alert on type confusion patterns in wwlib.dll call stacks involving FMain+0xd6e80 through FMain+0x67086.
  • ·Crash and exploitability were confirmed only with Microsoft Office File Validation Add-In disabled and Application Verifier (pageheap) enabled. Without pageheap, the out-of-bounds access may not immediately fault, potentially allowing silent memory corruption.
  • ·The bug also reproduces on Office 2010 on Windows 7 x86, so detection rules should cover both Office 2007 (wwlib.dll 12.0.6720.5000) and Office 2010 SP2 targets.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_apache9.8
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.