cbcvebase.
CVE-2024-7262
published 2024-08-15

CVE-2024-7262: Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.16412 (exclusive) on Windows allows an…

PriorityP180high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-09-24
Exploited in the wild
EPSS
1.77%
75.4th percentile
Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.16412 (exclusive) on Windows allows an attacker to load an arbitrary Windows library. The vulnerability was found weaponized as a single-click exploit in the form of a deceptive spreadsheet document

Affected

4 ranges
VendorProductVersion rangeFixed in
kingsoftwps_office>= 12.2.0.13110 < 12.2.0.1711512.2.0.17115
kingsoftwps_office>= 12.2.0.13110 < 12.2.0.1641212.2.0.16412
kingsoftwps_office>= 12.2.0.13110 < 12.2.0.1715312.2.0.17153
kingsoftwps_office>= 12.2.0.16909 < 12.1.0.1827612.1.0.18276

Detection & IOCsextracted from sources · hover to see the quote

processpromecefpluginhost.exe
filenameksojscore.dll
filenameTaskControler.dll
path?:\Users\*\AppData\Local\Temp\wps\INetCache\*
path\Device\Mup\**
otherksoqing://
sigma
any where host.os.type == "windows" and process.name : "promecefpluginhost.exe" and (
(event.category == "library" and
?dll.path :
("?:\\Users\\*\\AppData\\Local\\Temp\\wps\\INetCache\\*",
"\\Device\\Mup\\**", "\\\\*")) or
((event.category == "process" and event.action : "Image loaded*") and
?file.path :
("?:\\Users\\*\\AppData\\Local\\Temp\\wps\\INetCache\\*",
"\\Device\\Mup\\**", "\\\\*"))
)
  • Hunt for promecefpluginhost.exe loading DLLs from the WPS INetCache temp directory, UNC paths (\\*), or the \Device\Mup device path — all are strong indicators of CVE-2024-7262/7263 exploitation via DLL hijack.
  • The exploit is delivered via MHTML spreadsheet files containing malicious hyperlinks hidden under a decoy image; the malicious URL uses the ksoqing:// custom protocol handler with a base64-encoded command payload.
  • The incomplete patch for CVE-2024-7262 left the 'CefPluginPathU8' parameter unsanitized in promecefpluginhost.exe, enabling CVE-2024-7263; monitor for this parameter being used to point to non-standard DLL paths including network shares.
  • The final payload dropped is a backdoor named SpyGlace (TaskControler.dll); detection of this filename on disk or in memory is a high-confidence indicator of a completed compromise.
  • ·The patch in version 12.2.0.16909 (CVE-2024-7262 fix) was incomplete; full remediation for both CVE-2024-7262 and CVE-2024-7263 requires upgrading to at least version 12.2.0.17119.
  • ·CVE-2024-7263 (the incomplete-patch bypass) can be exploited not only locally but also via a network share hosting the malicious DLL, broadening the attack surface beyond local file delivery.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:L/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.