Vulnerability Details : CVE-2017-0199
Public exploit exists!
Used for ransomware!
Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."
Vulnerability category: Execute code
Products affected by CVE-2017-0199
- cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:2010:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:2016:-:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
- cpe:2.3:a:philips:intellispace_portal:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:philips:intellispace_portal:7.0:*:*:*:*:*:*:*
CVE-2017-0199 is in the CISA Known Exploited Vulnerabilities Catalog
This issue is known to have been leveraged as part of a ransomware campaign.
CISA vulnerability name:
Microsoft Office and WordPad Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for remote code execution.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2017-0199
Added on
2021-11-03
Action due date
2022-05-03
Exploit prediction scoring system (EPSS) score for CVE-2017-0199
97.44%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2017-0199
-
Microsoft Office Word Malicious Hta Execution
Disclosure Date: 2017-04-14First seen: 2020-04-26exploit/windows/fileformat/office_word_htaThis module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a olelink object can make a http(s) request, and execute hta code in response. This bug was originally seen
CVSS scores for CVE-2017-0199
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST | |
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST | |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-02-10 |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST | 2024-07-24 |
References for CVE-2017-0199
-
https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
Philips Intellispace Portal ISP Vulnerabilities | CISAThird Party Advisory;US Government Resource
-
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html
CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware | FireEye IncBroken Link;Exploit;Third Party Advisory
-
https://www.exploit-db.com/exploits/41934/
Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)Exploit;Third Party Advisory;VDB Entry
-
https://www.exploit-db.com/exploits/42995/
Microsoft Excel - OLE Arbitrary Code ExecutionThird Party Advisory;VDB Entry
-
https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/
Analysis of a CVE-2017-0199 Malicious RTF Document – NVISO LabsExploit;Third Party Advisory
-
http://rewtin.blogspot.nl/2017/04/cve-2017-0199-practical-exploitation-poc.html
CVE-2017-0199 Practical exploitation ! (PoC)Exploit;Third Party Advisory
-
http://www.securityfocus.com/bid/97498
Microsoft Office OLE Feature Remote Code Execution VulnerabilityBroken Link;Third Party Advisory;VDB Entry
-
http://www.securitytracker.com/id/1038224
Microsoft Office File OLE-Based Processing Flaw Lets Remote Users Execute Arbitrary Code - SecurityTrackerBroken Link;Third Party Advisory;VDB Entry
-
https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/
Exploiting CVE-2017-0199: HTA Handler Vulnerability – MDSecExploit;Third Party Advisory
-
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
CVE-2017-0199 - Security Update Guide - Microsoft - Microsoft Office/WordPad Remote Code Execution Vulnerability w/WindowsPatch;Vendor Advisory
-
https://www.exploit-db.com/exploits/41894/
Microsoft Word - '.RTF' Remote Code ExecutionExploit;Third Party Advisory;VDB Entry
Jump to