Cyber Resilience

CVE-2015-1641

HighCISA KEVActive ExploitationEUVD Exploited

Published: 14 April 2015

Published
14 April 2015
Modified
22 April 2026
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9367 99.9th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-1641 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Word. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Deeper analysis

The vulnerability CVE-2015-1641 is an out-of-bounds write memory corruption flaw (CWE-787) affecting Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1. It is triggered when these components parse a specially crafted RTF document.

An attacker can exploit the issue by supplying a malicious RTF file that, when opened by a user in an affected application, results in arbitrary code execution. The CVSS 7.8 vector indicates the attack requires local access and user interaction but grants full confidentiality, integrity, and availability impact under the current user's privileges.

Microsoft security bulletin MS15-033 provides official patches and mitigation guidance for the listed products. No additional details on observed exploitation campaigns are present in the supplied references.

EU & UK References

Vulnerability details

Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps…

more

Server 2010 SP2 and 2013 SP1 allow remote attackers to execute arbitrary code via a crafted RTF document, aka "Microsoft Office Memory Corruption Vulnerability."

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
office
2010
microsoft
office compatibility pack
all versions
microsoft
office web apps
2010, 2013
microsoft
outlook
2011
microsoft
sharepoint server
2010, 2013
microsoft
word
2007, 2010, 2011, 2013

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patches (MS15-033) that eliminate the RTF parsing flaw before exploitation can occur.

prevent

Enforces memory-protection mechanisms that can block or contain the out-of-bounds write (CWE-787) used to achieve arbitrary code execution.

preventdetect

Deploys malicious-code detection (e.g., AV/EDR signatures or heuristics) that can identify and block the crafted RTF document before the vulnerable parser processes it.

References