Cyber Resilience

CVE-2022-21842

High

Published: 11 January 2022

Published
11 January 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0395 88.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-21842 is a high-severity an unspecified weakness vulnerability in Microsoft Word. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 11.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Microsoft Word contains a remote code execution vulnerability tracked as CVE-2022-21842. The flaw affects the Microsoft Word application and carries a CVSS 3.1 base score of 7.8, reflecting local attack vector, low attack complexity, no required privileges, and required user interaction, with high impact to confidentiality, integrity, and availability.

An attacker can exploit the issue by supplying a specially crafted document that a victim opens in Microsoft Word. Successful exploitation grants the attacker the ability to execute arbitrary code in the context of the current user, potentially leading to full control over affected documents and system resources reachable from that user account.

Microsoft security advisories at the listed MSRC URLs describe the vulnerability and direct administrators to apply the patches released through the standard Microsoft Update channels.

The associated EPSS score rose materially from low values at disclosure to a peak of 0.1804 on 2025-01-22 before receding to the current 0.0395, indicating that exploitation interest increased well after the initial publication.

EU & UK References

Vulnerability details

Microsoft Word Remote Code Execution Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
sharepoint enterprise server
2016
microsoft
word
2016

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References