WPS Office Vulnerabilities Expose 200 Million Users: CVE-2024-7262 Exploited in the Wild

kingsoft wps office - CVE-2024-7262 and CVE-2024-7263

WPS Office, a widely used office suite with a user base exceeding 200 million, has been found to contain two critical vulnerabilities that could expose users to remote code execution attacks. The vulnerabilities, identified as CVE-2024-7262 and CVE-2024-7263, have been assigned a CVSS score of 9.3, indicating their high severity and potential for exploitation.

Technical Analysis of the Vulnerabilities:

The vulnerabilities were discovered in the promecefpluginhost.exe component of WPS Office, specifically within versions ranging from 12.2.0.13110 to 12.2.0.13489 for CVE-2024-7262, and from 12.2.0.13110 to 12.2.0.17153 for CVE-2024-7263. Both vulnerabilities stem from improper path validation, allowing attackers to load and execute arbitrary Windows libraries.

  • CVE-2024-7262: The flaw lies in how the promecefpluginhost.exe process validates file paths, enabling an attacker to load a malicious Windows library simply by tricking a user into opening a deceptive spreadsheet document. This single-click exploit could allow attackers to execute arbitrary code on the victim’s machine, potentially leading to data theft, ransomware, or further system compromise.

  • CVE-2024-7263: In an attempt to address CVE-2024-7262, Kingsoft released a patch with version 12.2.0.16909. However, researchers soon discovered that this patch was not sufficient. CVE-2024-7263, which affects versions up to 12.2.0.17153 (exclusive), exploits an additional improperly sanitized parameter that was overlooked in the original fix. This oversight allows attackers to again load arbitrary Windows libraries, bypassing the initial security measures implemented by Kingsoft.

Weaponization and Exploitation

What makes these vulnerabilities particularly alarming is the fact that CVE-2024-7262 has already been weaponized. Security researchers from ESET found it being actively exploited in the wild, with malicious actors distributing deceptive spreadsheet documents designed to trigger the exploit.

Mitigating the Risk:

Given the severity of these vulnerabilities and the confirmed active exploitation of CVE-2024-7262, all WPS Office users must update their software to the latest available version (12.2.0.17153 or later) as soon as possible.

Related Posts: