www.belgium.be Logo of the federal government

Warning: High-Severity Path Validation Vulnerability In Kingsoft WPS Office Enables Arbitrary Code Execution, Patch Immediately!

Reference: 
Advisory #2024-205
Version: 
1.0
Affected software: 
Kingsoft WPS Office ranging from 12.2.0.13110 to 12.2.0.13489
Type: 
Improper Path Validation
CVE/CVSS: 

CVE-2024-7262 :CVSS 7.8(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Datum: 
22/08/2024

Sources

Tenable: https://www.tenable.com/cve/CVE-2024-7262

Risks

The vulnerability has a high risk due to the potential for arbitrary code execution through the loading of malicious libraries. This risk is exacerbated by the fact that it has been weaponized as a single-click exploit, making it easier for attackers to exploit.

According to Cybersecurity News, ESET observed malicious actors distributing deceptive spreadsheet documents designed to trigger the exploit, which makes this actively exploited in the wild.

Furthermore, the vulnerability has a high impact on confidentiality, integrity, and availability.

Description

This vulnerability involves improper path validation in the promecefpluginhost.exe of Kingsoft WPS Office, allowing an attacker to load an arbitrary Windows library.

Exploitation vector:

  1. The attacker crafts a malicious spreadsheet document embedded with a payload.
  2. The attacker distributes this document to the target.
  3. When the target opens the document in Kingsoft WPS Office, the promecefpluginhost.exe improperly validates the file path and loads the malicious library, executing the attacker's code.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-7262
Feedly: https://feedly.com/cve/CVE-2024-7262
Cybersecurity News: https://securityonline.info/wps-office-vulnerabilities-expose-200-million-users-cve-2024-7262-exploited-in-the-wild/