cbcvebase.
CVE-2018-0841
published 2018-02-15

CVE-2018-0841: Microsoft Office 2016 Click-to-Run allows a remote code execution vulnerability due to how objects are handled in memory, aka "Office Remote Code Execution…

PriorityP259high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
20.43%
97.2th percentile
Microsoft Office 2016 Click-to-Run allows a remote code execution vulnerability due to how objects are handled in memory, aka "Office Remote Code Execution Vulnerability"

Affected

4 ranges
VendorProductVersion rangeFixed in
microsoftoffice
microsoft_corporationmicrosoft_office
msrcmicrosoft_office_2016_click-to-run_for_32-bit_editions
msrcmicrosoft_office_2016_click-to-run_for_64-bit_editions

Detection & IOCsextracted from sources · hover to see the quote

  • Attack vector requires a user to open a specially crafted Microsoft Excel file; monitor for suspicious Excel file opens, particularly from email attachments or files downloaded from the web.
  • In email-based attacks, the malicious Excel file is delivered as an attachment; inspect email gateways for Excel files (.xlsx, .xls, .xlsm, etc.) from untrusted senders.
  • In web-based attacks, the crafted Excel file may be hosted on a compromised or attacker-controlled website; monitor web proxy logs for Excel file downloads from suspicious or newly-registered domains.
  • Scope detection to Microsoft Office 2016 Click-to-Run installations; unpatched instances are assessed 'Exploitation More Likely' by Microsoft.
  • ·Affected product is specifically Microsoft Office 2016 Click-to-Run; other Office delivery mechanisms or versions are listed as N/A for older software release exploitation likelihood.
  • ·As of the advisory, the vulnerability had not been publicly exploited in the wild, though Microsoft rated it 'Exploitation More Likely' for the latest software release.
  • ·Impact is scoped to the privilege level of the current user; systems where users run with administrative rights face the highest risk of full system compromise.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.