⚠ Actively exploited
Added to CISA KEV on 2022-03-03. Federal agencies required to patch by 2022-03-24. Required action: Apply updates per vendor instructions..

CVE-2016-7262Improper Input Validation in Microsoft Excel

CWE-20Improper Input Validation6 documents6 sources
Severity
7.8HIGHNVD
EPSS
87.1%
top 0.55%
CISA KEV
KEV
Added 2022-03-03
Due 2022-03-24
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Microsoft Excel
Timeline
PublishedDec 20
KEV addedMar 3
KEV dueMar 24
Latest updateMay 14
CISA Required Action: Apply updates per vendor instructions.

Description

Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Office Compatibility Pack SP3, and Excel Viewer allow user-assisted remote attackers to execute arbitrary commands via a crafted cell that is mishandled upon a click, aka "Microsoft Office Security Feature Bypass Vulnerability."

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages1 packages

NVDmicrosoft/excel4 versions+3

Patches

Patch: docs.microsoft.comPatch: docs.microsoft.com

🔴Vulnerability Details

3
GHSA
GHSA-r3jw-q3j2-jqv3: Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Office Compatibility Pack SP3, and Excel Viewer allow user-as2022-05-14
CVEList
CVE-2016-7262: Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Office Compatibility Pack SP3, and Excel Viewer allow user-as2016-12-20
VulnCheck
Microsoft Office Security Feature Bypass Vulnerability2016

📋Vendor Advisories

2
CISA
Microsoft Office Security Feature Bypass Vulnerability2022-03-03
Microsoft
Microsoft Excel Security Feature Bypass Vulnerability2016-12-13
CVE-2016-7262 — Improper Input Validation in Microsoft | cvebase