CVE-2022-24934
published 2022-03-23CVE-2022-24934: wpsupdater.exe in Kingsoft WPS Office through 11.2.0.10382 allows remote code execution by modifying HKEY_CURRENT_USER in the registry.
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
20.47%
97.2th percentile
wpsupdater.exe in Kingsoft WPS Office through 11.2.0.10382 allows remote code execution by modifying HKEY_CURRENT_USER in the registry.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wps | wps_office | <= 11.2.0.10382 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor wpsupdater.exe for unexpected registry modifications to HKEY_CURRENT_USER, which may indicate exploitation of CVE-2022-24934 leading to remote code execution. ↗
- ·Affected version range is Kingsoft WPS Office through 11.2.0.10382; versions beyond this may be patched. ↗
- ·The threat actor behind Operation Dragon Castling exploiting this CVE was not yet linked to a known group at time of reporting. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8p4j-qh7w-684c: wpsupdater
ghsa_unreviewed·2022-03-25
CVE-2022-24934 [CRITICAL] GHSA-8p4j-qh7w-684c: wpsupdater
wpsupdater.exe in Kingsoft WPS Office through 11.2.0.10382 allows remote code execution by modifying HKEY_CURRENT_USER in the registry.
VulnCheck
Kingsoft WPS Office through 11.2.0.10382 wpsupdater.exe Remote Code Execution
vulncheck·2022·CVSS 9.8
CVE-2022-24934 [CRITICAL] Kingsoft WPS Office through 11.2.0.10382 wpsupdater.exe Remote Code Execution
Kingsoft WPS Office through 11.2.0.10382 wpsupdater.exe Remote Code Execution
wpsupdater.exe in Kingsoft WPS Office through 11.2.0.10382 allows remote code execution by modifying HKEY_CURRENT_USER in the registry.
Affected: wps wps_office
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/; https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf
No detection rules found.
No public exploits indexed.
2022-03-23
Published
Exploited in the wild