CVE-2019-1201

Q: What is the severity of CVE-2019-1201?

CVE-2019-1201 has a CVSS score of 7.8 (HIGH). A remote code execution vulnerability in Microsoft Word allows attackers to execute arbitrary code by tricking users into opening malicious files. The vulnerability affects users of Microsoft Word software and can be triggered via email attachments or web downloads. Successful exploitation gives attackers the same permissions as the current user.

7.8 HIGH

Remote Code Execution

📋 TL;DR

A remote code execution vulnerability in Microsoft Word allows attackers to execute arbitrary code by tricking users into opening malicious files. The vulnerability affects users of Microsoft Word software and can be triggered via email attachments or web downloads. Successful exploitation gives attackers the same permissions as the current user.

💻 Affected Systems

Products:

Microsoft Word
Microsoft Outlook

Versions: Specific affected versions not specified in CVE description, but references indicate multiple Office versions

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Outlook Preview Pane can trigger exploitation without user opening the file. All default configurations of affected Word versions are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the logged-on user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Malware installation, credential theft, or data exfiltration through spear-phishing campaigns targeting users who open malicious Word documents.

🟢

If Mitigated

Limited impact with proper email filtering, user awareness training, and disabled preview pane preventing automatic exploitation.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening malicious file) but can be delivered via email or web links.

🏢 Internal Only: HIGH - Internal phishing campaigns could exploit this vulnerability to move laterally within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (opening malicious file) but is straightforward once the file is opened. Email-based attacks are particularly effective.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Microsoft security update as referenced in advisory

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1201

Restart Required: Yes

Instructions:

1. Apply Microsoft security update for affected Office versions. 2. Restart affected systems. 3. Verify update installation through Windows Update or Office update mechanisms.

🔧 Temporary Workarounds

Disable Outlook Preview Pane

windows

Prevents automatic exploitation when malicious emails are viewed in Outlook Preview Pane

reg add "HKCU\Software\Microsoft\Office\14.0\Outlook\Options" /v DisableReadingPane /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Office\15.0\Outlook\Options" /v DisableReadingPane /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Outlook\Options" /v DisableReadingPane /t REG_DWORD /d 1 /f

🧯 If You Can't Patch

Disable Outlook Preview Pane via registry settings or Group Policy
Implement email filtering to block suspicious Word attachments and enable macro security settings

🔍 How to Verify

Check if Vulnerable:

Check Office version and compare against patched versions in Microsoft advisory. Systems without the security update are vulnerable.

Check Version:

wmic product where "name like 'Microsoft Office%'" get name, version

Verify Fix Applied:

Verify security update is installed via Windows Update history or Office update status. Check registry settings if workaround was applied.

📡 Detection & Monitoring

Log Indicators:

Unusual Word process spawning child processes
Office crash logs related to memory handling
Security event logs showing suspicious file opens

Network Indicators:

Unusual outbound connections from Word processes
DNS requests to suspicious domains after file opens

SIEM Query:

process_name:"WINWORD.EXE" AND (child_process:* OR network_connection:*)

📊 Metadata

CVE ID: CVE-2019-1201

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Published: August 14, 2019

Last Updated: February 20, 2026

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1201 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1201 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Office by Microsoft

Office by Microsoft

Office by Microsoft

Office by Microsoft

Office 365 Proplus by Microsoft

Office Online Server by Microsoft

Office Web Apps by Microsoft

Office Web Apps Server by Microsoft

Sharepoint Enterprise Server by Microsoft

Sharepoint Enterprise Server by Microsoft

Sharepoint Server by Microsoft

Sharepoint Server by Microsoft

Word by Microsoft

Word by Microsoft

Word by Microsoft

Word by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Outlook Preview Pane

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export