CVE-2024-11957

CRITICAL

Kingsoft WPS Office <=12.1.0.18276 - Code Injection

Title source: llm

Description

Improper verification of the digital signature in ksojscore.dll in Kingsoft WPS Office in versions equal or less than 12.1.0.18276 on Windows allows an attacker to load an arbitrary Windows library. The patch released in version 12.2.0.16909 to mitigate CVE-2024-7262 was not restrictive enough.

References (1)

[Various Sources] https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/

Scores

CVSS v4 9.3

EPSS 0.0004

EPSS Percentile 10.8%

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-347

Status published

Products (1)

Kingsoft/WPS Office 12.2.0.16909 - 12.1.0.18276

Published Mar 04, 2025

Tracked Since Feb 18, 2026