cbcvebase.
CVE-2017-0262
published 2017-05-12

CVE-2017-0262: Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in…

PriorityP183high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-08-10
Exploited in the wild
EPSS
80.73%
99.6th percentile
Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0261 and CVE-2017-0281.

Affected

19 ranges
VendorProductVersion rangeFixed in
microsoftoffice
microsoftoffice
microsoftoffice
microsoftoffice
microsoftoffice_online_server
microsoftoffice_web_apps
microsoftoffice_web_apps
microsoftproject_server
microsoftsharepoint_foundation
microsoftsharepoint_server
microsoftsharepoint_server
microsoftsharepoint_server
microsoftskype_for_business
microsoftword
microsoft_corporationmicrosoft_office
msrcmicrosoft_office_2010_service_pack_2
msrcmicrosoft_office_2013_rt_service_pack_1
msrcmicrosoft_office_2013_service_pack_1
msrcmicrosoft_office_2016

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2017-0262 is a Microsoft Office encapsulated postscript (EPS) type confusion exploit, delivered via spearphish .docx attachment, used by Sofacy/APT28 to drop the GAMEFISH backdoor (~30kb) against NATO-related targets in Europe.
  • CVE-2017-0262 was chained with CVE-2017-0263 (EoP use-after-free) in the same spearphish document; detections should look for both CVEs triggered together from an Office process.
  • ·The GAMEFISH payload dropped via CVE-2017-0262 exploitation is described only as 'a small 30kb backdoor'; no hash, C2 domain/IP, or further configuration details are present in the available sources.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.