CVE-2017-0261

HIGH KEV

Microsoft Office 2010 SP2, 2013 SP1, 2016 - Remote Code Execution via Use-After-Free

Title source: llm

Exploitation Summary

CVE-2017-0261 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022. EIP tracks 2 public exploits from researchers including kcufId, erfze.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2017-0261, targeting a vulnerability in EPSIMP32.FLT. The assembly code loads a malicious EPS file and manipulates memory to trigger the exploit, demonstrating a working attack chain.

Description

Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0262 and CVE-2017-0281.

Exploits (2)

nomisec WORKING POC 10 stars

by kcufId · local

https://github.com/kcufId/eps-CVE-2017-0261

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2017-0261, targeting a vulnerability in EPSIMP32.FLT. The assembly code loads a malicious EPS file and manipulates memory to trigger the exploit, demonstrating a working attack chain.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: EPSIMP32.FLT (likely Adobe or Microsoft EPS filter library)

No auth needed

Prerequisites: Malicious EPS file (eps.conf) must be present in the working directory

MITRE ATT&CK

T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by erfze · local

https://github.com/erfze/CVE-2017-0261

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2017-0261, a use-after-free (UAF) vulnerability in Microsoft Office's EPS filter (EPSIMP32.FLT). The exploit leverages PostScript 'save-restore' operations to trigger the UAF and achieve arbitrary memory manipulation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Microsoft Office 2010 SP2, 2013 SP1, 2016

No auth needed

Prerequisites: Microsoft Office with vulnerable EPS filter (EPSIMP32.FLT) · Malicious EPS file embedded in Office document

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Patch, Vendor Advisory x_refsource_confirm

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/98104

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1038444

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0261

Scores

CVSS v3 7.8

EPSS 0.7813

EPSS Percentile 99.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-03-03

VulnCheck KEV 2017-05-09

InTheWild.io 2017-05-09

ENISA EUVD EUVD-2017-0617

CWE

CWE-416

Status published

Products (4)

microsoft/office 2010 sp2

microsoft/office 2013 sp1

microsoft/office 2016

Microsoft Corporation/Microsoft Office Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016

Published May 12, 2017

KEV Added Mar 03, 2022

Tracked Since Feb 18, 2026