CVE-2024-7263

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Published: Aug 15, 2024 / Updated: 3mo ago

010
CVSS 9.3EPSS 0.04%Critical
CVE info copied to clipboard

Summary

Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.13489 on Windows allows an attacker to load an arbitrary Windows library. The patch released in version 12.2.0.16909 to mitigate a previous vulnerability was not restrictive enough. Another hyperlink parameter was not properly sanitized which leads to the execution of an arbitrary Windows library.

Impact

This vulnerability allows an attacker to load and execute arbitrary Windows libraries on the affected system. This can lead to code execution with the privileges of the user running the WPS Office application. The impact is severe, as it can result in unauthorized access, data theft, system compromise, and potential lateral movement within a network. Given the CVSS v4 base score of 9.3 (Critical), this vulnerability poses a significant risk to the confidentiality, integrity, and availability of the affected systems.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in Kingsoft WPS Office version 12.2.0.16909 and later.

Mitigation

1. Update Kingsoft WPS Office to version 12.2.0.16909 or later immediately. 2. If immediate updating is not possible, consider temporarily restricting the use of WPS Office or isolating systems running vulnerable versions. 3. Implement the principle of least privilege to minimize the potential impact if exploitation occurs. 4. Monitor for suspicious activities or unexpected library loads on systems running WPS Office. 5. Educate users about the risks of opening untrusted documents or clicking on suspicious hyperlinks within documents.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-7263. See article

Aug 15, 2024 at 3:24 PM / National Vulnerability Database
Exploitation in the Wild

Attacks in the wild have been reported by We Live Security. See article

Aug 28, 2024 at 9:18 AM / We Live Security
Threat Intelligence Report

CVE-2024-7263 was a critical vulnerability discovered by ESET researchers, leading to an alternative exploit path. Kingsoft silently patched the vulnerability, contradicting previous claims, and it was later published. This underlines the importance of thorough patch verification processes and ensuring core issues are fully addressed to prevent potential exploitation in the wild and downstream impacts on third-party vendors. See article

Aug 28, 2024 at 9:18 AM
Attribution of Exploits

The vulnerability is known to be exploited by APT-C-60. See article

Aug 28, 2024 at 1:48 PM / The Hacker News | #1 Trusted Cybersecurity News Site
Attribution of Exploits

The vulnerability is known to be exploited by SpyGlace. See article

Aug 29, 2024 at 6:59 AM / HackYourMom
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380422)

Sep 2, 2024 at 7:53 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (206675)

Sep 6, 2024 at 1:15 AM
Static CVE Timeline Graph

Affected Systems

Kingsoft/wps_office
+null more

Patches

www.wps.com
+null more

Links to Malware Families

SpyGlace
+null more

Links to Threat Actors

APT-C-60
+null more

Attack Patterns

CAPEC-126: Path Traversal
+null more

References

Arbitrary Code Execution Vulnerabilities Affecting WPS Office – Technical Analysis
This flaw allows attackers to execute arbitrary code by exploiting the WPS Office plugin component promecefpluginhost.exe. By embedding a malicious hyperlink within an MHTML file, attackers could trigger the download and execution of a remote file when the document was opened in WPS Spreadsheet.
Last Week in Security - 2024-09-05
These attacks are likely linked to the Chinese state-sponsored group APT 41, targeted government and military organizations in Asia and involve the delivery of a ZIP archive containing a malicious MSC file that executes code without user interaction through a method called GrimResource. New 0-Day Attacks Linked to China’s 'Volt Typhoon' - Researchers have discovered a new zero-day vulnerability being exploited by malicious hackers in Versa Director Software, utilized by Internet and IT service providers.
Analysis of two arbitrary code execution vulnerabilities affecting WPS Office
ESET researchers discovered a code execution vulnerability in WPS Office for Windows (CVE⁠-⁠2024⁠-⁠7262), as it was being exploited by APT-C-60, a South Korea-aligned cyberespionage group. The rather unconventional MHTML file format allows a file to be downloaded as soon as the document is opened; therefore, leveraging this technique while exploiting the vulnerability provides for remote code execution.
See 2 more references

News

Last Week in Security - 2024-09-05
These attacks are likely linked to the Chinese state-sponsored group APT 41, targeted government and military organizations in Asia and involve the delivery of a ZIP archive containing a malicious MSC file that executes code without user interaction through a method called GrimResource. New 0-Day Attacks Linked to China’s 'Volt Typhoon' - Researchers have discovered a new zero-day vulnerability being exploited by malicious hackers in Versa Director Software, utilized by Internet and IT service providers.
【kali笔记】kali中常用的密码字典,网站推荐
(2024.09.09) (various)
㏍違ス WPS Office ㏍違ス WPS Officeキ⒢冴若、識鐔信罩g/a> (腦 2024.09.06) CVE-2024-7262 CVE-2024-7263
Spy Group Exploits WPS Office Zero Day
ESET researchers discovered a remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262). The WPS Office software has over 500 million active users worldwide, which makes it a good target to reach a substantial number of individuals, particularly in the East Asia region,” says ESET researcher Romain Dumont, who analyzed the vulnerabilities.
ESET Research Discovers Vulnerability in WPS Office for Windows
ESET researchers discovered a remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262). The WPS Office software has over 500 million active users worldwide, which makes it a good target to reach a substantial number of individuals, particularly in the East Asia region,” says ESET researcher Romain Dumont, who analyzed the vulnerabilities.
See 73 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI