⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-05-03.

CVE-2017-0199Code Injection in Corporation Office Wordpad

CWE-399CWE-94Code InjectionCWE-20Improper Input ValidationCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer273 documents25 sources
Severity
7.8HIGHNVD
VulnCheck9.8VulnCheck8.8
EPSS
94.3%
top 0.05%
CISA KEV
KEVRansomware
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
14
Microsoft Corporation Office WordpadMicrosoft OfficeMicrosoft Windows Server 2008+11 more
Timeline
PublishedApr 12
KEV addedNov 3
KEV dueMay 3
Latest updateMar 6
CISA Required Action: Apply updates per vendor instructions.

Description

Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages14 packages

CVEListV5microsoft_corporation/office_wordpadOffice 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8.1

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

7
GHSA
GHSA-mrf9-75pc-cjmm: Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 202022-05-13
VulnCheck
Microsoft Office and WordPad Remote Code Execution Vulnerability2017
VulnCheck
Adobe Flash Player Arbitrary Code Execution Vulnerability2016
VulnCheck
Microsoft Office Memory Corruption Vulnerability2015
VulnCheck
Microsoft Office Malformed EPS File Vulnerability2015

💥Exploits & PoCs

5
Exploit-DB
Microsoft Office - 'Composite Moniker Remote Code Execution2018-01-09
Exploit-DB
Microsoft Excel - OLE Arbitrary Code Execution2017-09-30
Exploit-DB
Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)2017-04-25
Exploit-DB
Microsoft Word - '.RTF' Remote Code Execution2017-04-18
Metasploit
Microsoft Office Word Malicious Hta Execution

🔍Detection Rules

12
Suricata
ET MALWARE HTTP Andromeda File Request2017-07-21
Suricata
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl2017-07-07
Suricata
ET EXPLOIT Suspicious FTP RETR to .hta file possible exploit (CVE-2017-0199)2017-06-29
Suricata
ET EXPLOIT CVE-2017-0199 Common Obfus Stage 2 DL2017-06-19
Suricata
ET WEB_CLIENT Office Requesting .HTA File Likely CVE-2017-0199 Request2017-04-19

📋Vendor Advisories

2
CISA
Microsoft Office and WordPad Remote Code Execution Vulnerability2021-11-03
Microsoft
Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows2017-04-11

🕵️Threat Intelligence

235
Securelist
Vulnerability landscape in Q4 20252026-03-06
Securelist
Exploits and vulnerabilities in Q4 20252026-03-06
Securelist
Exploits and vulnerabilities in Q3 20252025-12-03
Securelist
Analyzing the vulnerability landscape in Q3 20252025-12-03
Securelist
A new RevengeHotels campaign targets Latin America2025-09-16

📄Research Papers

8
arXiv
KillChainGraph: ML Framework for Predicting and Mapping ATT&CK Techniques2025-08-19
arXiv
CLIProv: A Contrastive Log-to-Intelligence Multimodal Approach for Threat Detection and Provenance Analysis2025-07-12
arXiv
PentestAgent: Incorporating LLM Agents to Automated Penetration Testing2025-05-29
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures2025-02-12
arXiv
Linking Threat Tactics, Techniques, and Patterns with Defensive Weaknesses, Vulnerabilities and Affected Platform Configurations for Cyber Hunting2021-02-10
CVE-2017-0199 — Code Injection | cvebase