Cyber Resilience

CVE-2022-21840

HighUpdated

Published: 11 January 2022

Published
11 January 2022
Modified
19 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0946 93.0th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-21840 is a high-severity an unspecified weakness vulnerability in Microsoft Office. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Microsoft Office contains a remote code execution vulnerability tracked as CVE-2022-21840. The flaw received a CVSS 3.1 score of 8.8 with an attack vector of network, low complexity, no required privileges, and required user interaction, resulting in high impact to confidentiality, integrity, and availability. It affects Microsoft Office applications and was publicly disclosed on 11 January 2022.

An unauthenticated remote attacker can exploit the issue by delivering a malicious document or link that, once opened by a user, executes arbitrary code with the privileges of the current user. The unchanged scope rating indicates the compromise remains contained to the affected Office process but still grants full read, write, and execute capabilities on the victim system.

Microsoft security advisories at the listed MSRC URLs describe available patches and mitigation steps for supported Office versions. The associated EPSS score has remained flat at 0.0946 with no material increase since disclosure.

EU & UK References

Vulnerability details

Microsoft Office Remote Code Execution Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
excel
2013, 2016
microsoft
office
2013, 2016, 2019
microsoft
office long term servicing channel
2021
microsoft
office online server
all versions
microsoft
office web apps
2013
microsoft
sharepoint enterprise server
2013
microsoft
sharepoint server
2013, 2016, 2019, all versions

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References