CVE-2017-11826

HIGH KEV

Microsoft Office - Remote Code Execution via Memory Corruption

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2017-11826 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022. EIP tracks 2 public exploits from researchers including thatskriptkid, hz9511.

AI-analyzed exploit summary This PoC generates a malicious Word document exploiting CVE-2017-11826 via DDEAUTO field injection to execute arbitrary commands. It downloads and executes a payload from a specified URL using PowerShell.

Description

Microsoft Office 2010, SharePoint Enterprise Server 2010, SharePoint Server 2010, Web Applications, Office Web Apps Server 2010 and 2013, Word Viewer, Word 2007, 2010, 2013 and 2016, Word Automation Services, and Office Online Server allow remote code execution when the software fails to properly handle objects in memory.

Exploits (2)

nomisec WORKING POC 9 stars
by thatskriptkid · client-side
https://github.com/thatskriptkid/CVE-2017-11826

This PoC generates a malicious Word document exploiting CVE-2017-11826 via DDEAUTO field injection to execute arbitrary commands. It downloads and executes a payload from a specified URL using PowerShell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Office (Word) 2007-2016
No auth needed
Prerequisites: Python with python-docx library · Target must open the generated Word document
devstral-2 · analyzed Feb 16, 2026 Full analysis →
patchapalooza WORKING POC
by hz9511 · poc
https://gitee.com/hz9511/CVE-2017-11826

This repository contains a functional exploit for CVE-2017-11826, which leverages DDE (Dynamic Data Exchange) in Microsoft Word to execute arbitrary commands. The Python script generates a malicious Word document that triggers command execution via a crafted DDE field.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Office Word (versions affected by CVE-2017-11826)
No auth needed
Prerequisites: Python with python-docx library · Victim to open the generated malicious Word document
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (7)

Core 7
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/101219
Exploit, Third Party Advisory x_refsource_misc
https://www.tarlogic.com/en/blog/exploiting-word-cve-2017-11826/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039541

Scores

CVSS v3 7.8
EPSS 0.9169
EPSS Percentile 99.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-03
VulnCheck KEV 2017-09-28
InTheWild.io 2017-09-28
ENISA EUVD EUVD-2017-3426
CWE
CWE-119
Status published
Products (13)
microsoft/office_compatibility_pack
microsoft/office_online_server 2016
microsoft/office_web_apps_server 2010 sp2
microsoft/office_web_apps_server 2013 sp1
microsoft/office_word_viewer
microsoft/sharepoint_enterprise_server 2016
microsoft/sharepoint_server 2010 sp2
microsoft/sharepoint_server 2013 sp1
microsoft/word 2007 sp3
microsoft/word 2010 sp2
... and 3 more
Published Oct 13, 2017
KEV Added Mar 03, 2022
Tracked Since Feb 18, 2026