CVE-2017-8550

MEDIUM

Skype for Business >= Microsoft Office 2016 Click-to-Run (C2R) - Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-8550. PoCs published by nyxgeek.

AI-analyzed exploit summary This PowerShell script exploits CVE-2017-8550, an XSS vulnerability in Skype for Business 2016, by sending a malicious message via the Lync 2013 SDK. The script injects JavaScript to force the target's browser to navigate to a specified URL without user interaction.

Description

A remote code execution vulnerability exists in Skype for Business when the software fails to sanitize specially crafted content, aka "Skype for Business Remote Code Execution Vulnerability".

Exploits (1)

exploitdb WORKING POC
by nyxgeek · powershellremotewindows
https://www.exploit-db.com/exploits/42316

This PowerShell script exploits CVE-2017-8550, an XSS vulnerability in Skype for Business 2016, by sending a malicious message via the Lync 2013 SDK. The script injects JavaScript to force the target's browser to navigate to a specified URL without user interaction.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Skype for Business 2016 (versions 16.0.7830.1018 32-bit & 16.0.7927.1020 64-bit or lower)
Auth required
Prerequisites: Lync 2013 SDK installed · Attacker logged into Skype for Business · Target user online
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42316/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/98916

Scores

CVSS v3 5.4
EPSS 0.0955
EPSS Percentile 93.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
microsoft/office 2016
Microsoft Corporation/Skype for Business Microsoft Office 2016 Click-to-Run (C2R)
Published Jun 15, 2017
Tracked Since Feb 18, 2026