CVE-2015-1641

HIGH KEV RANSOMWARE

Microsoft Office - Remote Code Execution via Crafted RTF Document

Title source: llm

Exploitation Summary

CVE-2015-1641 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 1 public exploit from researchers including Cyberclues.

AI-analyzed exploit summary This repository contains a Python script designed to extract malicious payloads and decoy documents from RTF files exploiting CVE-2015-1641. The script identifies markers within the RTF file, decrypts the payload using XOR, and saves the extracted content.

Description

Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1 allow remote attackers to execute arbitrary code via a crafted RTF document, aka "Microsoft Office Memory Corruption Vulnerability."

Exploits (1)

nomisec WORKING POC 23 stars

by Cyberclues · poc

https://github.com/Cyberclues/rtf_exploit_extractor

View Code ZIP pw:eip

This repository contains a Python script designed to extract malicious payloads and decoy documents from RTF files exploiting CVE-2015-1641. The script identifies markers within the RTF file, decrypts the payload using XOR, and saves the extracted content.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Office (RTF parsing)

No auth needed

Prerequisites: Exploit document (RTF file) containing CVE-2015-1641 payload

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1027 - Obfuscated Files or Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1032104

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/73995

Patch, Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-033

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-1641

Scores

CVSS v3 7.8

EPSS 0.9733

EPSS Percentile 99.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2015-04-14

InTheWild.io 2015-04-14

ENISA EUVD EUVD-2015-1771

Ransomware Use Confirmed

CWE

CWE-787

Status published

Products (11)

microsoft/office 2010 sp2

microsoft/office_compatibility_pack

microsoft/office_web_apps 2010 sp2

microsoft/office_web_apps 2013 sp1

microsoft/outlook 2011

microsoft/sharepoint_server 2010 sp2

microsoft/sharepoint_server 2013 sp1

microsoft/word 2007 sp3

microsoft/word 2010 sp2

microsoft/word 2011

... and 1 more

Published Apr 14, 2015

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026