Exploit
CVE-2024-7262

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Published: Aug 15, 2024 / Updated: 3mo ago

010
CVSS 9.3EPSS 0.04%Critical
CVE info copied to clipboard

Summary

Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.13489 on Windows allows an attacker to load an arbitrary Windows library. Using the MHTML format allows an attacker to automatically deliver a malicious library on opening the document and a single user click on a crafted hyperlink leads to the execution of the library.

Impact

This vulnerability has a critical severity with a CVSS v4 base score of 9.3. The impact is severe as it allows an attacker to execute arbitrary code with the privileges of the user running the application. This can lead to complete compromise of the system's confidentiality, integrity, and availability. The attack vector is local, requires low complexity, and only passive user interaction (a single click), making it relatively easy to exploit. The vulnerability affects the vulnerable system's confidentiality, integrity, and availability, all rated as HIGH. Additionally, it can impact subsequent systems with HIGH confidentiality, integrity, and availability risks, indicating potential for lateral movement or further exploitation.

Exploitation

There is no evidence that a public proof-of-concept exists. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including securityonline.info. Malware such as SpyGlace (source:HackYourMom) are known to have weaponized this vulnerability. Threat Actor APT-C-60 (source:Vulnerability Archives • Cybersecurity News) has been identified as exploiting this vulnerability.

Patch

A patch is available. The vulnerability affects Kingsoft WPS Office versions from 12.2.0.13110 to 12.2.0.13489 on Windows. Users and administrators should apply the patch as soon as possible. The patch information can be found at https://www.wps.com/whatsnew/pc/20240422/

Mitigation

Until the patch is applied, consider the following mitigation strategies: 1. Restrict use of Kingsoft WPS Office, especially versions 12.2.0.13110 to 12.2.0.13489 on Windows systems. 2. Implement strict access controls and principle of least privilege to limit potential impact. 3. Educate users about the risks of opening untrusted documents or clicking on suspicious links within documents. 4. Use application whitelisting to prevent execution of unauthorized libraries. 5. Monitor for suspicious activities related to promecefpluginhost.exe. 6. Consider using alternative office suite software until the vulnerability is patched. 7. Implement network segmentation to limit the potential spread if a system is compromised. 8. Regularly backup important data to mitigate potential data loss.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:L/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-7262. See article

Aug 15, 2024 at 3:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 15, 2024 at 3:24 PM
Exploitation in the Wild

Attacks in the wild have been reported by Vulnerability Archives • Cybersecurity News. See article

Threat Intelligence Report

CVE-2024-7262 is a critical code execution vulnerability in WPS Office for Windows, exploited in the wild by APT-C-60 to target East Asian countries. The exploit was stealthy, leveraging a zero-day flaw and a subsequent logic bug, with a patch only partially addressing the issue. Users are urged to update WPS Office immediately to mitigate the risk of further exploitation and potential downstream impacts on third-party vendors. See article

Aug 28, 2024 at 9:18 AM
Attribution of Exploits

The vulnerability is known to be exploited by APT-C-60. See article

Aug 28, 2024 at 9:43 AM / Vulnerability Archives • Cybersecurity News
Trending

This CVE started to trend in security discussions

Aug 29, 2024 at 5:34 AM
Attribution of Exploits

The vulnerability is known to be exploited by SpyGlace. See article

Aug 29, 2024 at 6:59 AM / HackYourMom
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380420)

Aug 29, 2024 at 7:53 AM
Trending

This CVE stopped trending in security discussions

Sep 1, 2024 at 7:05 AM
Static CVE Timeline Graph

Affected Systems

Kingsoft/wps_office
+null more

Proof Of Exploit

https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+null more

Patches

www.wps.com
+null more

Links to Malware Families

SpyGlace
+null more

Links to Threat Actors

APT-C-60
+null more

Attack Patterns

CAPEC-126: Path Traversal
+null more

References

CISA Adds Three Exploited Vulnerabilities to Known Catalog
Both Draytek VigorConnect and Kingsoft WPS Office vulnerabilities allow malicious actors to exploit path traversal flaws, potentially enabling unauthorized access to sensitive data. On September 3, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities Catalog, flagging three new vulnerabilities that pose significant risks to federal networks.
Arbitrary Code Execution Vulnerabilities Affecting WPS Office – Technical Analysis
This flaw allows attackers to execute arbitrary code by exploiting the WPS Office plugin component promecefpluginhost.exe. By embedding a malicious hyperlink within an MHTML file, attackers could trigger the download and execution of a remote file when the document was opened in WPS Spreadsheet.
Last Week in Security - 2024-09-05
These attacks are likely linked to the Chinese state-sponsored group APT 41, targeted government and military organizations in Asia and involve the delivery of a ZIP archive containing a malicious MSC file that executes code without user interaction through a method called GrimResource. New 0-Day Attacks Linked to China’s 'Volt Typhoon' - Researchers have discovered a new zero-day vulnerability being exploited by malicious hackers in Versa Director Software, utilized by Internet and IT service providers.
See 3 more references

News

The SOS Intelligence CVE Chatter Weekly Top Ten – 28 October 2024
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.
Joe Sandbox v41 Charoite
COM calls are difficult to trace but with Joe Sandbox v41 malware analysts can see all COM calls performed by a suspicious process. Suricata replaces Snort, as it offers superior performance in malware analysis, with better handling of complex traffic patterns and improved detection capabilities.
CVE-2024-7262
Kingsoft WPS Office Path Traversal Vulnerability: Kingsoft WPS Office contains a path traversal vulnerability in promecefpluginhost.exe on Windows that allows an attacker to load an arbitrary Windows library.
APT group exploits WPS Office for Windows RCE vulnerability (CVE-2024-7262)
2024-08-28 • Help Net Security • Help Net Security Open article on Malpedia
CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog
BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.
See 137 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI