CVE-2022-24934

CRITICAL EXPLOITED

Kingsoft WPS Office < 11.2.0.10382 - Remote Code Execution via Registry Modification

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-24934 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including webraybtl, MagicPiperSec, ASkyeye.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2022-24934, which leverages a vulnerability in WPS Office's update mechanism to achieve arbitrary code execution by manipulating the update server address in the registry.

Description

wpsupdater.exe in Kingsoft WPS Office through 11.2.0.10382 allows remote code execution by modifying HKEY_CURRENT_USER in the registry.

Exploits (4)

nomisec WORKING POC 20 stars
by webraybtl · poc
https://github.com/webraybtl/CVE-2022-24934

This repository contains a proof-of-concept exploit for CVE-2022-24934, which leverages a vulnerability in WPS Office's update mechanism to achieve arbitrary code execution by manipulating the update server address in the registry.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WPS Office versions <= 11.2.0.10382
No auth needed
Prerequisites: Access to the target system's registry · Ability to modify HKEY_CURRENT_USER registry keys
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by MagicPiperSec · poc
https://github.com/MagicPiperSec/WPS-CVE-2022-24934

This repository provides a fake WPS Update Server PoC for CVE-2022-24934, which exploits a vulnerability in WPS Office by serving a malicious file disguised as an update. The server requires a SigThief-ed file to bypass signature checks and includes an EICAR test signature to prevent direct misuse.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WPS Office (specific version not specified)
No auth needed
Prerequisites: Go 1.18+ · SigThief-ed malicious file · Environment variable `HACK_WPS_FILENAME` set
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by ASkyeye · poc
https://github.com/ASkyeye/WPS-CVE-2022-24934

This repository provides a fake WPS Update Server PoC for CVE-2022-24934, exploiting a vulnerability in WPS Office via wpsupdate.exe. It requires a SigThief-ed malicious file and serves it over HTTP to trigger the vulnerability.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WPS Office (specific version not specified)
No auth needed
Prerequisites: Go 1.18+ · SigThief-ed malicious file · Environment variable HACK_WPS_FILENAME set
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by nanaao · poc
https://github.com/nanaao/CVE-2022-24934

This repository contains only a README with images and no exploit code. It appears to be a writeup or documentation for CVE-2022-24934 but lacks any functional PoC or technical details.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Vendor Advisory x_refsource_misc
https://www.wps.com

Scores

CVSS v3 9.8
EPSS 0.3223
EPSS Percentile 97.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2022-03-22
Status published
Products (1)
wps/wps_office < 11.2.0.10382
Published Mar 23, 2022
Tracked Since Feb 18, 2026