CVE-2022-25943

HIGH

WPS Office < 11.2.0.10258 - Incorrect Default Permissions in Service Directory

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-25943. PoCs published by HadiMed, webraybtl.

AI-analyzed exploit summary This PoC exploits a DLL hijacking vulnerability in Kingsoft WPS Office (CVE-2022-25943) by planting a malicious DLL in a writable directory, which is then loaded by the WPS Cloud service running as NT AUTHORITY. The exploit escalates privileges to SYSTEM by changing the Administrator password and stealing the winlogon token.

Description

The installer of WPS Office for Windows versions prior to v11.2.0.10258 fails to configure properly the ACL for the directory where the service program is installed.

Exploits (2)

nomisec WORKING POC 58 stars
by HadiMed · poc
https://github.com/HadiMed/KINGSOFT-WPS-Office-LPE

This PoC exploits a DLL hijacking vulnerability in Kingsoft WPS Office (CVE-2022-25943) by planting a malicious DLL in a writable directory, which is then loaded by the WPS Cloud service running as NT AUTHORITY. The exploit escalates privileges to SYSTEM by changing the Administrator password and stealing the winlogon token.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Kingsoft WPS Office (versions with vulnerable service configuration)
No auth needed
Prerequisites: Write access to C:\ProgramData\kingsoft\office6\ · WPS Cloud service installed and configured to start automatically
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 6 stars
by webraybtl · poc
https://github.com/webraybtl/CVE-2022-25943

This repository contains a working proof-of-concept exploit for CVE-2022-25943, which leverages a DLL hijacking vulnerability in WPS Office to achieve local privilege escalation (LPE). The exploit involves placing a malicious DLL in a writable directory and restarting the WPS Cloud service to load the DLL with elevated privileges.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: WPS Office versions < 11.2.0.10258
No auth needed
Prerequisites: WPS Office installed with vulnerable version · Write access to the WPS Office installation directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Product x_refsource_confirm
https://www.wps.com/whatsnew/pc/20210806/
Third Party Advisory third-party-advisory x_refsource_jvn
https://jvn.jp/en/vu/JVNVU90673830/
Exploit, Third Party Advisory x_refsource_misc
https://github.com/HadiMed/KINGSOFT-WPS-Office-LPE

Scores

CVSS v3 7.8
EPSS 0.0070
EPSS Percentile 48.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-276
Status published
Products (1)
kingsoft/wps_office < 11.2.0.10258
Published Mar 09, 2022
Tracked Since Feb 18, 2026