CVE-2015-2503
CVE-2015-2503 is a critical-severity vulnerability in Microsoft Access with a CVSS 2.0 base score of 9.3. Its EPSS exploit-prediction score of 17% places it in the 97th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-264.
Key facts
- Severity: Critical (CVSS 2.0 base score 9.3)
- EPSS exploit prediction: 17% (97th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-264
- Affected product: Microsoft Access
- Published:
- Last modified:
Description
Microsoft Access 2007 SP3, Excel 2007 SP3, InfoPath 2007 SP3, OneNote 2007 SP3, PowerPoint 2007 SP3, Project 2007 SP3, Publisher 2007 SP3, Visio 2007 SP3, Word 2007 SP3, Office 2007 IME (Japanese) SP3, Access 2010 SP2, Excel 2010 SP2, InfoPath 2010 SP2, OneNote 2010 SP2, PowerPoint 2010 SP2, Project 2010 SP2, Publisher 2010 SP2, Visio 2010 SP2, Word 2010 SP2, Pinyin IME 2010, Access 2013 SP1, Excel 2013 SP1, InfoPath 2013 SP1, OneNote 2013 SP1, PowerPoint 2013 SP1, Project 2013 SP1, Publisher 2013 SP1, Visio 2013 SP1, Word 2013 SP1, Excel 2013 RT SP1, OneNote 2013 RT SP1, PowerPoint 2013 RT SP1, Word 2013 RT SP1, Access 2016, Excel 2016, OneNote 2016, PowerPoint 2016, Project 2016, Publisher 2016, Visio 2016, Word 2016, Skype for Business 2016, and Lync 2013 SP1 allow remote attackers to bypass a sandbox protection mechanism and gain privileges via a crafted web site that is accessed with Internet Explorer, as demonstrated by a transition from Low Integrity to Medium Integrity, aka "Microsoft Office Elevation of Privilege Vulnerability."
Frequently asked questions
- What is CVE-2015-2503?
- Microsoft Access 2007 SP3, Excel 2007 SP3, InfoPath 2007 SP3, OneNote 2007 SP3, PowerPoint 2007 SP3, Project 2007 SP3, Publisher 2007 SP3, Visio 2007 SP3, Word 2007 SP3, Office 2007 IME (Japanese) SP3, Access 2010 SP2, Excel 2010 SP2, InfoPath 2010 SP2, OneNote 2010 SP2, PowerPoint 2010 SP2, Project 2010 SP2, Publisher 2010 SP2, Visio 2010 SP2, Word 2010 SP2, Pinyin IME 2010, Access 2013 SP1, Excel 2013 SP1, InfoPath 2013 SP1, OneNote 2013 SP1, PowerPoint 2013 SP1, Project 2013 SP1, Publisher 2013 SP1, Visio 2013 SP1, Word 2013 SP1, Excel 2013 RT SP1, OneNote 2013 RT SP1, PowerPoint 2013 RT SP1, Word 2013 RT SP1, Access 2016, Excel 2016, OneNote 2016, PowerPoint 2016, Project 2016, Publisher 2016, Visio 2016, Word 2016, Skype for Business 2016, and Lync 2013 SP1 allow remote attackers to bypass a sandbox protection mechanism and gain privileges via a crafted web site that is accessed with Internet Explorer, as demonstrated by a transition from Low Integrity to Medium Integrity, aka "Microsoft Office Elevation of Privilege Vulnerability."
- How severe is CVE-2015-2503?
- CVE-2015-2503 has a CVSS 2.0 base score of 9.3, rated critical severity.
- Is CVE-2015-2503 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 17% (97th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2015-2503?
- CVE-2015-2503 primarily affects Microsoft Access. In total, 44 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2015-2503?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2015-2503 published?
- CVE-2015-2503 was published on 2015-11-11 and last updated on 2026-06-17.
References
- http://www.securitytracker.com/id/1034117
- http://www.securitytracker.com/id/1034119
- http://www.securitytracker.com/id/1034122
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-116
Affected products (44)
- cpe:2.3:a:microsoft:access:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:access:2010:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:access:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:access:2016:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:excel:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:excel:2010:sp2:*:*:*:*:x64:*
- cpe:2.3:a:microsoft:excel:2010:sp2:*:*:*:*:x86:*
- cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:excel:2013:sp1:*:*:rt:*:*:*
- cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:infopath:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:infopath:2010:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:infopath:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:lync:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office_2007_ime:sp3:*:*:ja:*:*:*:*
- cpe:2.3:a:microsoft:onenote:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:onenote:2010:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:onenote:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:onenote:2013:sp1:*:*:rt:*:*:*
- cpe:2.3:a:microsoft:onenote:2016:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:pinyin_ime:2010:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:powerpoint:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:powerpoint:2010:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:powerpoint:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:powerpoint:2013:sp1:*:*:rt:*:*:*
- cpe:2.3:a:microsoft:powerpoint:2016:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:project:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:project:2016:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:project_server:2010:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:project_server:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:publisher:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:publisher:2010:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:publisher:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:publisher:2016:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:skype_for_business:2016:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visio:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visio:2010:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visio:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visio:2016:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:word:2007:sp3:*:*:*:*:*:*
More vulnerabilities in Microsoft Access
- CVE-2000-0788 — Critical (CVSS 10.0): The Mail Merge tool in Microsoft Word does not prompt the user before executing Visual Basic (VBA) scripts in an Access…
- CVE-1999-0364 — Critical (CVSS 10.0): Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data.
- CVE-2013-3157 — Critical (CVSS 9.3): Microsoft Access 2007 SP3, 2010 SP1 and SP2, and 2013 in Microsoft Office allows remote attackers to execute arbitrary…
- CVE-2013-3156 — Critical (CVSS 9.3): Microsoft Access 2007 SP3, 2010 SP1 and SP2, and 2013 in Microsoft Office allows remote attackers to execute arbitrary…
- CVE-2013-3155 — Critical (CVSS 9.3): Microsoft Access 2007 SP3, 2010 SP1 and SP2, and 2013 in Microsoft Office allows remote attackers to execute arbitrary…
- CVE-2010-1881 — Critical (CVSS 9.3): The FieldList ActiveX control in the Microsoft Access Wizard Controls in ACCWIZ.dll in Microsoft Office Access 2003 SP3…
All CVEs affecting Microsoft Access →
Other CWE-264 (Permissions, Privileges, and Access Controls) vulnerabilities
- CVE-2016-8363 — Critical (CVSS 10.0): An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232…
- CVE-2016-7457 — Critical (CVSS 10.0): VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to gain privileges, or halt…
- CVE-2015-7425 — Critical (CVSS 10.0): The Data Protection component in the VMware vSphere GUI in IBM Tivoli Storage Manager for Virtual Environments: Data…
- CVE-2015-8267 — Critical (CVSS 10.0): The PasswordReset.Controllers.ResetController.ChangePasswordIndex method in PasswordReset.dll in Dovestones AD Self…
- CVE-2015-7919 — Critical (CVSS 10.0): SearchBlox 8.3 before 8.3.1 allows remote attackers to write to the config file, and consequently cause a denial of…
- CVE-2015-7071 — Critical (CVSS 10.0): The File Bookmark component in Apple OS X before 10.11.2 allows attackers to bypass a sandbox protection mechanism for…
Browse all CWE-264 (Permissions, Privileges, and Access Controls) vulnerabilities →