⚠ Actively exploited

Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2016-3235

CWE-2647 documents7 sources

Severity

7.8HIGH

EPSS

81.2%

top 0.84%

CISA KEV

KEV

Added 2021-11-03

Due 2022-05-03

Exploit

Exploited in wild

Active exploitation observed

Affected products

Microsoft Visio Microsoft Visio Viewer

Timeline

PublishedJun 16

KEV addedNov 3

KEV dueMay 3

Latest updateMay 14

CISA Required Action: Apply updates per vendor instructions.

Description

Microsoft Visio 2007 SP3, Visio 2010 SP2, Visio 2013 SP1, Visio 2016, Visio Viewer 2007 SP3, and Visio Viewer 2010 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Microsoft Office OLE DLL Side Loading Vulnerability."

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDmicrosoft/visio_viewer2007, 2010+1

▶NVDmicrosoft/visio4 versions+3

Patches

Patch: docs.microsoft.com ↗Patch: docs.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-75wh-cm5h-4j85: Microsoft Visio 2007 SP3, Visio 2010 SP2, Visio 2013 SP1, Visio 2016, Visio Viewer 2007 SP3, and Visio Viewer 2010 mishandle library loading, which al↗2022-05-14

▶

CVEList

CVE-2016-3235: Microsoft Visio 2007 SP3, Visio 2010 SP2, Visio 2013 SP1, Visio 2016, Visio Viewer 2007 SP3, and Visio Viewer 2010 mishandle library loading, which al↗2016-06-16

▶

VulnCheck

Microsoft Office OLE DLL Side Loading Vulnerability↗2016

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-041/MS16-070) (Metasploit)↗2015-12-08

▶

📋Vendor Advisories

CISA

Microsoft Office OLE DLL Side Loading Vulnerability↗2021-11-03

▶

Microsoft

Microsoft Office Remote Code Execution Vulnerability↗2016-06-14

▶