Login Sign Up

CVE-2021-21958

7.8 HIGH
Remote Code Execution

📋 TL;DR

This heap-based buffer overflow vulnerability in Hancom Office's Hword component allows attackers to execute arbitrary code by tricking users into opening malicious documents. It affects Hancom Office 2020 users who process untrusted files. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:
  • Hancom Office 2020
Versions: 11.0.0.2353 and earlier versions
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the Hword word processing component when processing malicious documents.

📦 What is this software?

Hancom Office 2020 by Hancom

View all CVEs affecting Hancom Office 2020 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the user running Hancom Office, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation or remote code execution when users open malicious documents from untrusted sources, leading to malware infection or data exfiltration.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially only causing application crashes.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction to open malicious documents. Technical details and proof-of-concept are publicly available in Talos Intelligence reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to version 11.0.0.2354 or later

Vendor Advisory: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1386

Restart Required: Yes

Instructions:

1. Open Hancom Office
2. Navigate to Help > Check for Updates
3. Follow prompts to download and install latest version
4. Restart computer after installation

🔧 Temporary Workarounds

Disable Hword file associations

windows

Prevent automatic opening of Hword documents by changing file associations

Control Panel > Default Programs > Associate a file type or protocol with a program
Change .hwp/.hwt associations to open with different application

Application sandboxing

windows

Run Hancom Office in restricted environment

🧯 If You Can't Patch

  • Implement strict email filtering to block suspicious attachments
  • Educate users to never open documents from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check Hancom Office version in Help > About Hancom Office

Check Version:

Not applicable - check via GUI in Help > About

Verify Fix Applied:

Verify version is 11.0.0.2354 or higher in Help > About Hancom Office

📡 Detection & Monitoring

Log Indicators:

  • Application crashes of Hword.exe
  • Unusual process spawning from Hword.exe
  • Memory access violation errors in Windows Event Logs

Network Indicators:

  • Outbound connections from Hword.exe to suspicious IPs
  • Unusual file downloads triggered by Hword process

SIEM Query:

Process Creation where (Image contains 'hword.exe' AND CommandLine contains '.hwp' OR CommandLine contains '.hwt')

📊 Metadata

CVE ID: CVE-2021-21958
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-122
Published: February 16, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21958, you might also want to check these:

CVE-2021-21940 10.0

A heap-based buffer overflow vulnerability in Anker Eufy Homebase 2's RTSP handling allows remote co...

Same vulnerability type (CWE-122)
CVE-2023-45318 10.0

This critical vulnerability allows remote attackers to execute arbitrary code on systems running Wes...

Same vulnerability type (CWE-122)
CVE-2025-23123 10.0

A heap buffer overflow vulnerability in UniFi Protect Camera firmware allows remote code execution. ...

Same vulnerability type (CWE-122)