CVE-2017-11882
CVE-2017-11882 is a high-severity vulnerability in Microsoft Office with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-119.
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- CVSS v2: 9.3
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2017-3478
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-119
- Affected product: Microsoft Office
- Published:
- Last modified:
Description
Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
Microsoft Office Memory Corruption Vulnerability (CVE-2017-11882)
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2017-11882 |
| Published | 2017-11-15 |
| Last Modified | 2026-06-17 |
| CVSS v2 | 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) |
| CVSS v3 | 7.8 HIGH (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) |
| CWE | CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer |
| EPSS | 0.99945 (99.97th percentile) |
| CISA KEV | Yes (added 2021-11-03) |
| Assigner | [email protected] |
Summary
CVE-2017-11882 is a memory corruption vulnerability in multiple versions of Microsoft Office. The flaw exists because the application fails to properly handle objects in memory. An attacker who successfully exploits this vulnerability can run arbitrary code in the context of the current user. If the current user is logged on with administrative rights, the attacker can take complete control of the affected system.
Background
This vulnerability was disclosed by Microsoft as part of the November 2017 Patch Tuesday security updates. It is tracked distinctly from CVE-2017-11884, which addresses a related but separate memory corruption issue in the same product family. The vulnerability has been actively exploited in the wild and was later added to the CISA Known Exploited Vulnerabilities (KEV) catalog, reflecting its continued relevance to threat actors.
Root Cause — CWE-119
The vulnerability is classified under CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer. The root cause lies in improper memory handling when Office processes certain embedded objects. Specifically, the application does not adequately validate or constrain operations on memory buffers, leading to an out-of-bounds condition that can be leveraged for code execution. The flaw stems from legacy code paths that lack modern memory-safety checks.
Impact
The CVSS v2 base score of 9.3 and CVSS v3 score of 7.8 (HIGH) reflect severe impact potential:
- Confidentiality Impact: Complete (HIGH in v3) — attacker can read arbitrary data.
- Integrity Impact: Complete (HIGH in v3) — attacker can modify arbitrary data.
- Availability Impact: Complete (HIGH in v3) — attacker can cause system unavailability.
- Attack Vector: Network (v2) / Local (v3, due to user interaction requirement).
- Attack Complexity: Medium (v2) / Low (v3).
- Privileges Required: None.
- User Interaction: Required — the victim must open a malicious file.
Exploitation Walkthrough (Defensive Perspective)
Ethics Note: The following description is provided for defensive awareness only. No weaponized exploit code is included.
Attackers typically deliver exploitation via a malicious Office document (e.g., Word, Excel, or PowerPoint) distributed through spear-phishing email campaigns. When the victim opens the document, the application processes a malformed embedded object that triggers the memory corruption. The attacker-supplied payload then executes in the context of the current user.
Common delivery vectors observed in the wild include:
- Email attachments with social-engineered filenames
- Malicious documents embedded in archives
- Drive-by downloads hosted on compromised or attacker-controlled websites
Defensive teams should focus on:
- Blocking macro-enabled and unknown document types at the email gateway
- Enforcing application sandboxing and isolation
- Monitoring for suspicious child processes spawned by Office applications
Affected and Patched Versions
Affected Products (per NVD CPE data):
- Microsoft Office 2007 Service Pack 3
- Microsoft Office 2010 Service Pack 2
- Microsoft Office 2013 Service Pack 1
- Microsoft Office 2016
Remediation: Apply the official security updates released by Microsoft for the affected Office versions. Microsoft addressed this vulnerability in the November 2017 security updates. Organizations running unsupported versions (e.g., Office 2007) should migrate to a supported release.
Remediation
- Patching: Install the latest security updates for Microsoft Office from the Microsoft Security Response Center.
- Compensating Controls:
- Disable or restrict Office file attachments in email gateways.
- Implement Attack Surface Reduction (ASR) rules on Windows endpoints to block Office applications from creating child processes.
- Enable Protected View for documents originating from the Internet.
- Apply the principle of least privilege — ensure users operate without administrative rights where possible.
- Consider application allowlisting to prevent execution of untrusted Office binaries or add-ins.
Detection
Security operations teams can detect potential exploitation by monitoring for:
- Suspicious child processes (e.g.,
powershell.exe,cmd.exe,mshta.exe) spawned bywinword.exe,excel.exe, orpowerpnt.exe - Network connections initiated by Office processes to unusual external hosts
- Office documents with embedded objects that trigger Equation Editor or similar legacy components
- Endpoint detection alerts for memory corruption or heap-spray patterns in Office applications
Assessment
With an EPSS score of 0.99945 (99.97th percentile) and a confirmed presence on the CISA KEV catalog since November 2021, CVE-2017-11882 represents one of the most reliably exploited Office vulnerabilities on record. The high EPSS score indicates that exploitation in the wild is not merely theoretical but statistically near-certain for unpatched systems.
Key lessons:
- Legacy code carries enduring risk: Components that predate modern memory-safe development practices continue to introduce critical vulnerabilities years after initial release.
- User interaction is not a strong control: Requiring a user to open a document remains a low bar for determined threat actors armed with convincing social engineering.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-11882
- https://www.kb.cert.org/vuls/id/421280
- https://www.exploit-db.com/exploits/43163/
- https://researchcenter.paloaltonetworks.com/2017/12/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/
- https://0patch.blogspot.com/2017/11/did-microsoft-just-manually-patch-their.html
- https://0patch.blogspot.com/2017/11/official-patch-for-cve-2017-11882-meets.html
- https://web.archive.org/web/20181104111128/https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about/
Frequently asked questions
- What is CVE-2017-11882?
- Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
- How severe is CVE-2017-11882?
- CVE-2017-11882 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2017-11882 being actively exploited?
- Yes. CVE-2017-11882 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2017-11882?
- CVE-2017-11882 primarily affects Microsoft Office. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2017-11882?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2017-11882 have an EU (EUVD) identifier?
- Yes. CVE-2017-11882 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-3478. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2017-11882 published?
- CVE-2017-11882 was published on 2017-11-15 and last updated on 2026-06-17.
References
- http://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-without-macros-cve-2017-11882
- http://www.securityfocus.com/bid/101757
- http://www.securitytracker.com/id/1039783
- https://0patch.blogspot.com/2017/11/did-microsoft-just-manually-patch-their.html
- https://0patch.blogspot.com/2017/11/official-patch-for-cve-2017-11882-meets.html
- https://github.com/0x09AL/CVE-2017-11882-metasploit
- https://github.com/embedi/CVE-2017-11882
- https://github.com/rxwx/CVE-2017-11882
- https://github.com/unamer/CVE-2017-11882
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
- https://researchcenter.paloaltonetworks.com/2017/12/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/
- https://web.archive.org/web/20181104111128/https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about/
- https://www.exploit-db.com/exploits/43163/
- https://www.kb.cert.org/vuls/id/421280
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-11882
Affected products (4)
- cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:2010:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Office
- CVE-2007-0065 — Critical (CVSS 10.0): Heap-based buffer overflow in Object Linking and Embedding (OLE) Automation in Microsoft Windows 2000 SP4, XP SP2,…
- CVE-2003-0347 — Critical (CVSS 10.0): Heap-based buffer overflow in VBE.DLL and VBE6.DLL of Microsoft Visual Basic for Applications (VBA) SDK 5.0 through 6.3…
- CVE-2000-0854 — Critical (CVSS 10.0): When a Microsoft Office 2000 document is launched, the directory of that document is first used to locate DLL's such as…
- CVE-2025-53766 — Critical (CVSS 9.8): Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
- CVE-2023-23397 — Critical (CVSS 9.8): Microsoft Outlook Elevation of Privilege Vulnerability
- CVE-2023-21716 — Critical (CVSS 9.8): Microsoft Word Remote Code Execution Vulnerability
All CVEs affecting Microsoft Office →
Other CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) vulnerabilities
- CVE-2026-2778 — Critical (CVSS 10.0): Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability was fixed in…
- CVE-2026-2776 — Critical (CVSS 10.0): Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. This vulnerability…
- CVE-2025-1866 — Critical (CVSS 10.0): Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in warmcat libwebsockets allows…
- CVE-2022-27625 — Critical (CVSS 10.0): A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the…
- CVE-2022-27624 — Critical (CVSS 10.0): A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the…
- CVE-2020-11896 — Critical (CVSS 10.0): The Treck TCP/IP stack before 6.0.1.66 allows Remote Code Execution, related to IPv4 tunneling.