CVE-2022-21840
Published: 11 January 2022
Summary
CVE-2022-21840 is a high-severity an unspecified weakness vulnerability in Microsoft Office. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Microsoft Office contains a remote code execution vulnerability tracked as CVE-2022-21840. The flaw received a CVSS 3.1 score of 8.8 with an attack vector of network, low complexity, no required privileges, and required user interaction, resulting in high impact to confidentiality, integrity, and availability. It affects Microsoft Office applications and was publicly disclosed on 11 January 2022.
An unauthenticated remote attacker can exploit the issue by delivering a malicious document or link that, once opened by a user, executes arbitrary code with the privileges of the current user. The unchanged scope rating indicates the compromise remains contained to the affected Office process but still grants full read, write, and execute capabilities on the victim system.
Microsoft security advisories at the listed MSRC URLs describe available patches and mitigation steps for supported Office versions. The associated EPSS score has remained flat at 0.0946 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-26996
Vulnerability details
Microsoft Office Remote Code Execution Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.