Login Sign Up

CVE-2018-5195

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2018-5195 is a critical buffer overflow vulnerability in Hancom NEO office software that allows remote attackers to execute arbitrary commands by exploiting hyperlink attributes in documents. Attackers can achieve remote code execution when users open malicious documents. This affects all users of vulnerable Hancom NEO versions.

💻 Affected Systems

Products:
  • Hancom NEO
Versions: 9.6.1.5183 and earlier
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability triggers when processing hyperlink attributes in documents. All default installations are vulnerable.

📦 What is this software?

Thinkfree Office Neo by Hancom

View all CVEs affecting Thinkfree Office Neo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the victim's computer, enabling data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Remote code execution leading to malware installation, credential theft, or data exfiltration when users open malicious documents.

🟢

If Mitigated

Limited impact with proper application sandboxing, least privilege execution, and network segmentation preventing lateral movement.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction to open malicious document. Buffer overflow leads to arbitrary code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.6.1.5184 and later

Vendor Advisory: http://help.hancom.com/cve/hoffice/en-US/CVE_en_050_01.htm

Restart Required: Yes

Instructions:

1. Download latest Hancom NEO version from official website. 2. Uninstall current version. 3. Install updated version. 4. Restart system.

🔧 Temporary Workarounds

Disable hyperlink processing

windows

Prevent document hyperlinks from being processed automatically

Use application sandboxing

windows

Run Hancom NEO in restricted environment to limit exploit impact

🧯 If You Can't Patch

  • Block all Hancom NEO documents at network perimeter and email gateways
  • Implement application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check Hancom NEO version in Help > About. If version is 9.6.1.5183 or earlier, system is vulnerable.

Check Version:

Not applicable - check via GUI Help > About menu

Verify Fix Applied:

Verify version is 9.6.1.5184 or later in Help > About menu.

📡 Detection & Monitoring

Log Indicators:

  • Process creation from Hancom NEO with unusual command-line arguments
  • Memory access violations in Hancom NEO process logs

Network Indicators:

  • Outbound connections from Hancom NEO to suspicious IPs
  • Document downloads followed by unusual process execution

SIEM Query:

Process Creation where Parent Process contains 'Hancom' AND Command Line contains unusual patterns

📊 Metadata

CVE ID: CVE-2018-5195
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
Published: January 17, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-5195, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)