CVE-2015-6585
published 2017-07-25CVE-2015-6585: hwpapp.dll in Hangul Word Processor allows remote attackers to execute arbitrary code via a crafted heap spray, and by leveraging a "type confusion" via an…
PriorityP271high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
2.49%
82.6th percentile
hwpapp.dll in Hangul Word Processor allows remote attackers to execute arbitrary code via a crafted heap spray, and by leveraging a "type confusion" via an HWPX file containing a crafted para text tag.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hancom | hangul_word_processor | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2015-6585 is triggered via a crafted HWPX file containing a malicious para text tag, exploiting a type confusion vulnerability in hwpapp.dll to achieve heap spray and arbitrary code execution. ↗
- →Lazarus Group weaponized .hwp files exploiting CVE-2015-6585 in spear phishing campaigns targeting South Korean users; hunt for malicious .hwp/.hwpx attachments in email telemetry. ↗
- ·The CVE-2015-6585 exploit targets only users of Hancom's Hangul Word Processor (.hwp/.hwpx files); detection is only relevant in environments where HWP is installed (predominantly South Korean targets). ↗
- ·The related campaign's lure documents were all created within a one-month window (mid-October to late November 2017) with nearly identical delivery mechanisms but different payloads and altered 4-byte XOR keys per sample, limiting hash-based detection reuse. ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv3.4LOW
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7g96-gxmq-x3pq: hwpapp
ghsa_unreviewed·2022-05-17
CVE-2015-6585 [HIGH] CWE-119 GHSA-7g96-gxmq-x3pq: hwpapp
hwpapp.dll in Hangul Word Processor allows remote attackers to execute arbitrary code via a crafted heap spray, and by leveraging a "type confusion" via an HWPX file containing a crafted para text tag.
OSV
openjdk-7 vulnerabilities
osv·2015-01-28·CVSS 3.4
CVE-2014-3566 openjdk-7 vulnerabilities
openjdk-7 vulnerabilities
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-3566, CVE-2014-6587, CVE-2014-6601, CVE-2015-0395,
CVE-2015-0408, CVE-2015-0412)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure. An attacker could exploit these to expose sensitive
data over the network. (CVE-2014-6585, CVE-2014-6591, CVE-2015-0400,
CVE-2015-0407)
A vulnerability was discovered in the OpenJDK JRE related to
information disclosure and integrity. An attacker could exploit this to
expose sensitive data over the network. (CVE-2014-6593)
A vulnerability was discovere
VulnCheck
hancom hangul_word_processor Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2015·CVSS 7.8
CVE-2015-6585 [HIGH] hancom hangul_word_processor Improper Restriction of Operations within the Bounds of a Memory Buffer
hancom hangul_word_processor Improper Restriction of Operations within the Bounds of a Memory Buffer
hwpapp.dll in Hangul Word Processor allows remote attackers to execute arbitrary code via a crafted heap spray, and by leveraging a "type confusion" via an HWPX file containing a crafted para text tag.
Affected: hancom hangul_word_processor
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://github.com/kbandla/APTnotes/issues/260; https://us-cert.cisa.gov/ncas/alerts/TA17-164A; https://cisa.gov/news-events/alerts/2017/06/13/hidden-cobra-north-koreas-ddos-botnet-infrastructure; https://www.38north.org/2025/10/hwp-as-an-attack-surface-what-hancoms-hangul
No detection rules found.
No public exploits indexed.
Recorded Future
North Korea's Late 2017 Campaign Targeted South Korean Cryptocurrency Users
blogs_recorded_future·CVSS 7.8
[HIGH] North Korea's Late 2017 Campaign Targeted South Korean Cryptocurrency Users
# North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign
### Key Judgements
- North Korean government actors, specifically Lazarus Group, continued to target South Korean cryptocurrency exchanges and users in late 2017, before Kim Jong Un’s New Year’s speech and subsequent North-South dialogue.
- This campaign also targeted South Korean college students interested in foreign affairs and part of a group called “Friends of MOFA” (Ministry of Foreign Affairs).
- The malware employed shared code with Destover malware, which was used against Sony Pictures Entertainment in 2014 and the first WannaCry victim in February 2017.
- The dropper in this campaign exploited a known Ghostscript vulnerability, CVE-2017-8291. The exploit implementation includes Chinese t
Recorded Future
North Korea's Late 2017 Campaign Targeted South Korean Cryptocurrency Users | Recorded Future
blogs_recorded_future·CVSS 7.8
[HIGH] North Korea's Late 2017 Campaign Targeted South Korean Cryptocurrency Users | Recorded Future
## North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign
## Key Judgements
North Korean government actors, specifically Lazarus Group, continued to target South Korean cryptocurrency exchanges and users in late 2017, before Kim Jong Un’s New Year’s speech and subsequent North-South dialogue .
This campaign also targeted South Korean college students interested in foreign affairs and part of a group called “Friends of MOFA” (Ministry of Foreign Affairs).
The malware employed shared code with Destover malware, which was used against Sony Pictures Entertainment in 2014 and the first WannaCry victim in February 2017.
The dropper in this campaign exploited a known Ghostscript vulnerability, CVE-2017-8291. The exploit implementation includes Chinese terms
http://www.hancom.com/cs_center/csDownload.dohttp://www.securityfocus.com/bid/76694https://www.fireeye.com/blog/threat-research/2015/09/zero-day_hwp_exploit.htmlhttps://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdfhttp://www.hancom.com/cs_center/csDownload.dohttp://www.securityfocus.com/bid/76694https://www.fireeye.com/blog/threat-research/2015/09/zero-day_hwp_exploit.htmlhttps://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf
2017-07-25
Published
Exploited in the wild