CVE-2024-7262
published 2024-08-15CVE-2024-7262: Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.16412 (exclusive) on Windows allows an…
PriorityP180high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-09-24
Exploited in the wild
EPSS
1.77%
75.4th percentile
Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.16412 (exclusive) on Windows allows an attacker to load an arbitrary Windows library.
The vulnerability was found weaponized as a single-click exploit in the form of a deceptive spreadsheet document
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kingsoft | wps_office | >= 12.2.0.13110 < 12.2.0.17115 | 12.2.0.17115 |
| kingsoft | wps_office | >= 12.2.0.13110 < 12.2.0.16412 | 12.2.0.16412 |
| kingsoft | wps_office | >= 12.2.0.13110 < 12.2.0.17153 | 12.2.0.17153 |
| kingsoft | wps_office | >= 12.2.0.16909 < 12.1.0.18276 | 12.1.0.18276 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
any where host.os.type == "windows" and process.name : "promecefpluginhost.exe" and (
(event.category == "library" and
?dll.path :
("?:\\Users\\*\\AppData\\Local\\Temp\\wps\\INetCache\\*",
"\\Device\\Mup\\**", "\\\\*")) or
((event.category == "process" and event.action : "Image loaded*") and
?file.path :
("?:\\Users\\*\\AppData\\Local\\Temp\\wps\\INetCache\\*",
"\\Device\\Mup\\**", "\\\\*"))
)- →Hunt for promecefpluginhost.exe loading DLLs from the WPS INetCache temp directory, UNC paths (\\*), or the \Device\Mup device path — all are strong indicators of CVE-2024-7262/7263 exploitation via DLL hijack. ↗
- →The exploit is delivered via MHTML spreadsheet files containing malicious hyperlinks hidden under a decoy image; the malicious URL uses the ksoqing:// custom protocol handler with a base64-encoded command payload. ↗
- →The incomplete patch for CVE-2024-7262 left the 'CefPluginPathU8' parameter unsanitized in promecefpluginhost.exe, enabling CVE-2024-7263; monitor for this parameter being used to point to non-standard DLL paths including network shares. ↗
- →The final payload dropped is a backdoor named SpyGlace (TaskControler.dll); detection of this filename on disk or in memory is a high-confidence indicator of a completed compromise. ↗
- ·The patch in version 12.2.0.16909 (CVE-2024-7262 fix) was incomplete; full remediation for both CVE-2024-7262 and CVE-2024-7263 requires upgrading to at least version 12.2.0.17119. ↗
- ·CVE-2024-7263 (the incomplete-patch bypass) can be exploited not only locally but also via a network share hosting the malicious DLL, broadening the attack surface beyond local file delivery. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:L/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jxrq-h53g-x3qx: Improper verification of the digital signature in ksojscore
ghsa_unreviewed·2025-03-04·CVSS 9.3
CVE-2024-11957 [CRITICAL] CWE-347 GHSA-jxrq-h53g-x3qx: Improper verification of the digital signature in ksojscore
Improper verification of the digital signature in ksojscore.dll in Kingsoft WPS Office in versions equal or less than 12.1.0.18276
on Windows allows an attacker to load an arbitrary Windows library. The patch released in version 12.2.0.16909 to mitigate CVE-2024-7262 was not restrictive enough.
GHSA
GHSA-xx3f-44rh-4g76: Improper path validation in promecefpluginhost
ghsa_unreviewed·2024-08-15·CVSS 9.3
CVE-2024-7263 [CRITICAL] CWE-22 GHSA-xx3f-44rh-4g76: Improper path validation in promecefpluginhost
Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.13489 on Windows allows an attacker to load an arbitrary Windows library.
The patch released in version 12.2.0.16909 to mitigate CVE-2024-7262 was not restrictive enough. Another hyperlink parameter was not properly sanitized which leads to the execution of an arbitrary Windows library.
GHSA
GHSA-p736-fp6q-qr5j: Improper path validation in promecefpluginhost
ghsa_unreviewed·2024-08-15
CVE-2024-7262 [CRITICAL] CWE-22 GHSA-p736-fp6q-qr5j: Improper path validation in promecefpluginhost
Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.13489 on Windows allows an attacker to load an arbitrary Windows library.
Using the MHTML format allows an attacker to automatically deliver a malicious library on opening the document and a single user click on a crafted hyperlink leads to the execution of the library.
VulnCheck
Kingsoft WPS Office Path Traversal Vulnerability
vulncheck·2024·CVSS 9.3
CVE-2024-7262 [CRITICAL] CWE-22 Kingsoft WPS Office Path Traversal Vulnerability
Kingsoft WPS Office Path Traversal Vulnerability
Kingsoft WPS Office contains a path traversal vulnerability in promecefpluginhost.exe on Windows that allows an attacker to load an arbitrary Windows library.
Affected: Kingsoft WPS Office
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cve.org/CVERecord?id=CVE-2024-7262; https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://web-assets.esetstatic.com/wls/en/papers/threat-re
CISA
Kingsoft WPS Office Path Traversal Vulnerability
cisa·2024-09-03·CVSS 9.3
CVE-2024-7262 [CRITICAL] CWE-22 Kingsoft WPS Office Path Traversal Vulnerability
Vulnerability: Kingsoft WPS Office Path Traversal Vulnerability
Affected: Kingsoft WPS Office
Kingsoft WPS Office contains a path traversal vulnerability in promecefpluginhost.exe on Windows that allows an attacker to load an arbitrary Windows library.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: While CISA cannot confirm the effectiveness of patches at this time, it is recommended that mitigations be applied per vendor instructions if available. If these instructions cannot be located or if mitigations are unavailable, discontinue the use of the product.; https://nvd.nist.gov/vuln/detail/CVE-2024-7262
Remediation Due Date: 2024-09-24
No public exploits indexed.
2024-08-15
Published
2024-09-03
Added to CISA KEV
Exploited in the wild