CVE-2017-0199

CVE-2017-0199 is a high-severity vulnerability in Microsoft Office with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03).

Key facts

Description

Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."

CVE-2017-0199: Microsoft Office / WordPad Remote Code Execution via HTA Handler Abuse

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2017-0199
CVSS v2 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS v3.1 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
EPSS 0.99933 (99.93%) — 99.97th percentile
KEV Yes (added 2021-11-03)
CWE Not specified in source data
Published 2017-04-12
Assigner [email protected]

Summary

CVE-2017-0199 is a remote code execution vulnerability in Microsoft Office and WordPad. An attacker can deliver a crafted document that, when opened, causes the application to fetch and execute an HTA (HTML Application) payload via the Windows API. Successful exploitation grants the attacker full control of the affected system with the privileges of the opening user.

Background

In April 2017, Microsoft patched this vulnerability as part of its monthly security updates. The flaw quickly became one of the most exploited vulnerabilities in Office-based attack chains. Threat actors embedded malicious links inside RTF and Office documents that leveraged the htafile handler. Because the interaction required only that a victim open a document (with possible additional interaction depending on the delivery method), the vulnerability was rapidly adopted by multiple crimeware and targeted-attack campaigns.

Root Cause

The root cause is improper handling of embedded OLE2 links combined with the Windows HTA handler. When an Office or WordPad document contains a specially crafted link object pointing to an external HTA resource, the application fetches the resource and passes it to the Windows shell for execution without sufficient validation or sandboxing. The input data does not specify a CWE ID, so the exact mapping is unconfirmed; behaviorally, the issue aligns with insufficient control of filename or path (CWE-73) and improper neutralization of script-related HTML tags (CWE-80), but this mapping is speculative and should be treated as unverified.

Impact

  • CVSS v2: 9.3 — Network exploitable with medium complexity, no authentication required, and complete impact on confidentiality, integrity, and availability.
  • CVSS v3.1: 7.8 — Local attack vector after user interaction is required; the scope is unchanged, but the impact on confidentiality, integrity, and availability remains high.
  • EPSS: 0.99933 indicates near-certain probability of exploitation in the wild.
  • KEV-listed since 2021-11-03, confirming active, widespread exploitation by threat actors.

Exploitation Walkthrough

An attacker typically:

  1. Crafts a document (RTF, DOC, or other Office format) embedding a link to a remote HTA file.
  2. Delivers the document via phishing email or other social engineering.
  3. Waits for the victim to open the document.
  4. The Office/WordPad application retrieves the HTA and invokes the Windows HTA handler, executing attacker-controlled script on the local system.

Ethics caveat: This description is intentionally defensive and generic. No weaponized exploit code is provided. Security teams should use this understanding to build detection rules and user-awareness programs, not to construct attacks.

Affected and Patched Versions

Affected products (per CPE data):

  • Microsoft Office 2007 SP3
  • Microsoft Office 2010 SP2
  • Microsoft Office 2013 SP1
  • Microsoft Office 2016
  • Microsoft Windows Vista SP2
  • Windows Server 2008 SP2
  • Windows Server 2008 R2 SP1
  • Windows Server 2012
  • Windows 7 SP1
  • Philips IntelliSpace Portal 7.0
  • Philips IntelliSpace Portal 8.0

Patched versions: Microsoft released patches in April 2017. Specific build numbers are not included in the source data; administrators should apply the April 2017 (or later) Microsoft security updates for the relevant Office and Windows versions.

Remediation

  1. Patching: Apply the official Microsoft security updates for CVE-2017-0199. Prioritize Office 2010/2013/2016 and affected Windows systems.
  2. Compensating controls:
    • Disable Office macros and embedded OLE objects where not required.
    • Block HTA file execution via Application Control (AppLocker / WDAC).
    • Restrict outbound connections from Office applications where possible.
    • Enable Attack Surface Reduction (ASR) rules in Microsoft Defender for Endpoint to block Office apps from creating child processes.
  3. Email security: Use mail-gateway filtering to strip or quarantine documents containing suspicious OLE links or HTA references.

Detection

  • Monitor endpoint telemetry for Office/WordPad processes spawning mshta.exe or making unexpected outbound HTTP/HTTPS requests.
  • Look for network connections to rare or newly registered domains immediately after Office document open events.
  • Enable Microsoft Defender Antivirus / EDR detections for exploit behavior tied to CVE-2017-0199.
  • Leverage KEV and EPSS data in vulnerability-management workflows to ensure this CVE remains tracked until all affected assets are patched or retired.

Assessment

CVE-2017-0199 is a textbook example of a high-impact Office vulnerability that transitions from disclosure to widespread exploitation in days. With an EPSS above 99.9% and a confirmed KEV entry, defenders should treat any unpatched instance as actively targeted.

Key lessons:

  1. Documents from external sources must be opened in isolated or sandboxed environments before being trusted.
  2. EPSS and KEV data are essential for prioritizing patches when CVE volume exceeds patching capacity.

References

Frequently asked questions

What is CVE-2017-0199?
Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."
How severe is CVE-2017-0199?
CVE-2017-0199 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2017-0199 being actively exploited?
Yes. CVE-2017-0199 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2017-0199?
CVE-2017-0199 primarily affects Microsoft Office. In total, 11 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2017-0199?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2017-0199 have an EU (EUVD) identifier?
Yes. CVE-2017-0199 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-0566. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2017-0199 published?
CVE-2017-0199 was published on 2017-04-12 and last updated on 2026-06-17.

References

Affected products (11)

More vulnerabilities in Microsoft Office

All CVEs affecting Microsoft Office →