Cyber Resilience

CVE-2019-0541

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 08 January 2019

Published
08 January 2019
Modified
29 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.8717 99.5th percentile
Risk Priority 90 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-0541 is a high-severity Command Injection (CWE-77) vulnerability in Microsoft Office. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A remote code execution vulnerability exists in the MSHTML engine due to improper input validation, tracked as CVE-2019-0541 with CWE-77. It affects Microsoft Office, Office 365 ProPlus, Microsoft Office Word Viewer, Microsoft Excel Viewer, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. The issue carries a CVSS 3.1 score of 8.8 reflecting network attack vector, low complexity, no required privileges, and required user interaction, with high impact on confidentiality, integrity, and availability.

An attacker can exploit the flaw by delivering specially crafted content over the network that triggers the vulnerable MSHTML engine in a user's browser or Office application. Successful exploitation allows remote code execution in the context of the current user, enabling arbitrary code to run, data to be accessed or modified, and system availability to be disrupted.

Microsoft has published an advisory at portal.msrc.microsoft.com detailing the issue and available updates. Public exploit code for the vulnerability has been posted to Exploit-DB, indicating that proof-of-concept attacks are readily accessible to potential adversaries.

EU & UK References

Vulnerability details

A remote code execution vulnerability exists in the way that the MSHTML engine inproperly validates input, aka "MSHTML Engine Remote Code Execution Vulnerability." This affects Microsoft Office, Microsoft Office Word Viewer, Internet Explorer 9, Internet Explorer 11, Microsoft Excel Viewer,…

more

Internet Explorer 10, Office 365 ProPlus.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 11, 9
microsoft
excel viewer
2007
microsoft
office
2010, 2013, 2016, 2019
microsoft
office 365 proplus
all versions
microsoft
office word viewer
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input to the MSHTML engine, blocking the malformed content that triggers the RCE flaw.

prevent

Mandates timely application of Microsoft patches that remediate the MSHTML input-validation vulnerability before exploitation.

preventdetect

Deploys malicious-code detection mechanisms that can identify and block the specially crafted content used to exploit CVE-2019-0541.

References