← back
CVE-2023-21716

Microsoft Word Remote Code Execution Vulnerability

CVSS 9.8 CRITICALEPSS 82.3%CWE-190
In short

A critical vulnerability in Microsoft Word allows an attacker to execute arbitrary code on a victim's computer by tricking them into opening a specially crafted document. This can lead to complete system compromise without requiring any special user permissions.

Technical detail

An integer overflow vulnerability (CWE-190) in Microsoft Word's document parsing engine allows remote code execution when processing maliciously crafted Word files. The attack vector is document opening via email or web download; no user interaction beyond opening the file is required, enabling unauthenticated RCE with CVSS 9.8 severity.

Summary generated and translated by AI from the official description.
Microsoft Word Remote Code Execution Vulnerability
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Affected products
Microsoft · Microsoft 365 Apps for EnterpriseMicrosoft · Microsoft Office 2019Microsoft · Microsoft Office 2019 for MacMicrosoft · Microsoft Office LTSC 2021Microsoft · Microsoft Office LTSC for Mac 2021Microsoft · Microsoft Office Online ServerMicrosoft · Microsoft Office Web Apps Server 2013 Service Pack 1Microsoft · Microsoft SharePoint Enterprise Server 2013 Service Pack 1Microsoft · Microsoft SharePoint Enterprise Server 2016Microsoft · Microsoft SharePoint Foundation 2013 Service Pack 1Microsoft · Microsoft SharePoint Server 2019Microsoft · Microsoft SharePoint Server Subscription EditionMicrosoft · Microsoft Word 2013 Service Pack 1Microsoft · Microsoft Word 2016Microsoft · SharePoint Server Subscription Edition Language Pack
public PoCs found13
githubgithub.com/gyaansastra/CVE-2023-2171659githubgithub.com/Xnuvers007/CVE-2023-2171646githubgithub.com/JMousqueton/CVE-2023-217168githubgithub.com/hv0l/CVE-2023-21716_exploit6githubgithub.com/RonF98/CVE-2023-21716-POC4githubgithub.com/FeatherStark/CVE-2023-217164githubgithub.com/MojithaR/CVE-2023-21716-EXPLOIT.py3githubgithub.com/Lord-of-the-IoT/CVE-2023-217162githubgithub.com/mikesxrs/CVE-2023-21716_YARA_Results0githubgithub.com/muumthf/CVE-2023-217160githubgithub.com/Caliburn9/CVE-2023-21716-Analysis-ICT2870githubgithub.com/REGGYRAIDER/CVE-2023-217160githubgithub.com/P4x1s/CVE-2023-21716-POC0
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716