CVE-2018-0802

HIGH KEV

Microsoft Office Equation Editor - Remote Code Execution via Memory Corruption

Title source: llm

Exploitation Summary

CVE-2018-0802 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 7 public exploits from researchers including rxwx, Ridter, zldww2011.

AI-analyzed exploit summary This repository contains a Python-based exploit for CVE-2018-0802, which leverages the Packager OLE object to drop and execute a payload via an RTF file. The exploit can also chain CVE-2017-11882 for additional impact.

Description

Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE is unique from CVE-2018-0797 and CVE-2018-0812.

Exploits (7)

nomisec WORKING POC 272 stars

by rxwx · client-side

https://github.com/rxwx/CVE-2018-0802

View Code ZIP pw:eip

This repository contains a Python-based exploit for CVE-2018-0802, which leverages the Packager OLE object to drop and execute a payload via an RTF file. The exploit can also chain CVE-2017-11882 for additional impact.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Office (Equation Editor)

No auth needed

Prerequisites: Vulnerable version of Microsoft Office · User interaction to open malicious RTF file

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 167 stars

by Ridter · client-side

https://github.com/Ridter/RTF_11882_0802

View Code ZIP pw:eip

This repository contains a Python script that generates malicious RTF files exploiting CVE-2017-11882 and CVE-2018-0802 in Microsoft Office. The exploit leverages a vulnerability in the Equation Editor to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Office (Equation Editor)

No auth needed

Prerequisites: Python environment · Target system with vulnerable Microsoft Office installation

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1566.001 - Spearphishing Attachment

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 68 stars

by zldww2011 · client-side

https://github.com/zldww2011/CVE-2018-0802_POC

View Code ZIP pw:eip

This repository contains a Python script that generates a malicious RTF file exploiting CVE-2018-0802, a vulnerability in Microsoft Equation Editor. The exploit triggers remote code execution by embedding a crafted OLE object in the RTF file.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Office (Equation Editor) < 2018-01-09

No auth needed

Prerequisites: Victim opens the malicious RTF file in a vulnerable version of Microsoft Office

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1566.001 - Spearphishing Attachment

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 11 stars

by likekabin · poc

https://github.com/likekabin/CVE-2018-0802_CVE-2017-11882

View Code ZIP pw:eip

This repository contains a Python script that generates malicious RTF files exploiting CVE-2017-11882 and CVE-2018-0802 in Microsoft Office Equation Editor. The script embeds arbitrary commands into the RTF file, which execute upon opening in vulnerable versions of Microsoft Office.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Office (Equation Editor)

No auth needed

Prerequisites: Vulnerable version of Microsoft Office with unpatched Equation Editor · User interaction to open the malicious RTF file

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1566.001 - Spearphishing Attachment

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 1 stars

by Abdibimantara · poc

https://github.com/Abdibimantara/Maldoc-Analysis

View Code ZIP pw:eip

This repository contains a writeup discussing malware samples exploiting CVE-2017-11882 and CVE-2018-0802, specifically targeting Microsoft Office files. No exploit code is provided, only a description of the malware and its association with the vulnerabilities.

Classification

Writeup 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Microsoft Office (unspecified version)

No auth needed

Prerequisites: Malicious Office document

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by roninAPT · client-side

https://github.com/roninAPT/CVE-2018-0802

View Code ZIP pw:eip

This repository contains a Python-based PoC exploit for CVE-2018-0802, a Microsoft Office RCE vulnerability. The exploit leverages the Packager OLE object to drop and execute an embedded payload via a crafted RTF file.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Office (Equation Editor)

No auth needed

Prerequisites: Crafted RTF file with embedded payload · Victim interaction to open the malicious file

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1566.001 - Spearphishing Attachment

devstral-2 · analyzed Feb 16, 2026 Full analysis →

patchapalooza WORKING POC

by Solitude-Echo · poc

https://gitee.com/Solitude-Echo/cve-2018-0802

View Code ZIP pw:eip

This repository contains a functional Python script that generates malicious RTF files exploiting CVE-2018-0802 and CVE-2017-11882. The script embeds OLE objects with crafted Equation Editor data to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Office (Equation Editor)

No auth needed

Prerequisites: Python environment · target system with vulnerable Microsoft Office

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (8)

Core 8

Core References

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-0802

Patch, Vendor Advisory x_refsource_confirm

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802

Exploit, Third Party Advisory x_refsource_misc

https://github.com/rxwx/CVE-2018-0802

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1040153

Exploit, Third Party Advisory x_refsource_misc

https://0patch.blogspot.com/2018/01/the-bug-that-killed-equation-editor-how.html

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/102347

Third Party Advisory x_refsource_misc

https://github.com/zldww2011/CVE-2018-0802_POC

Exploit x_refsource_misc

https://research.checkpoint.com/another-office-equation-rce-vulnerability/

Scores

CVSS v3 7.8

EPSS 0.9407

EPSS Percentile 99.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2018-01-09

InTheWild.io 2018-01-09

ENISA EUVD EUVD-2018-1608

CWE

CWE-787

Status published

Products (9)

microsoft/office 2007 sp3

microsoft/office 2010 sp2

microsoft/office 2013 sp1

microsoft/office 2016 (2 CPE variants)

microsoft/office_compatibility_pack

microsoft/word 2007 sp3

microsoft/word 2010 sp2

microsoft/word 2013 sp1 (2 CPE variants)

microsoft/word 2016

Published Jan 10, 2018

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026