CVE-2000-0854

Microsoft Office 2000 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2000-0854. PoCs published by Georgi Guninski.

AI-analyzed exploit summary This exploit demonstrates a DLL hijacking vulnerability in Microsoft Windows where a malicious DLL (e.g., riched20.dll) is loaded from the current working directory instead of the system directory. The PoC includes a DLL that displays a message box and executes an arbitrary executable when loaded by an Office application.

Description

When a Microsoft Office 2000 document is launched, the directory of that document is first used to locate DLL's such as riched20.dll and msi.dll, which could allow an attacker to execute arbitrary commands by inserting a Trojan Horse DLL into the same directory as the document.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Georgi Guninski · c++localwindows

https://www.exploit-db.com/exploits/20232

View Code ZIP pw:eip

This exploit demonstrates a DLL hijacking vulnerability in Microsoft Windows where a malicious DLL (e.g., riched20.dll) is loaded from the current working directory instead of the system directory. The PoC includes a DLL that displays a message box and executes an arbitrary executable when loaded by an Office application.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Windows (DLL loading mechanism), Microsoft Office applications

No auth needed

Prerequisites: Ability to place a malicious DLL in a directory where an Office document is opened · Victim must open an Office document from the directory containing the malicious DLL

MITRE ATT&CK

T1574.001 - DLL

devstral-2 · analyzed Feb 18, 2026 Full analysis →