Login Sign Up

CVE-2021-34452

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote code execution through specially crafted Microsoft Word documents. Attackers can exploit this by tricking users into opening malicious files, potentially gaining control of affected systems. All users running vulnerable versions of Microsoft Word are affected.

💻 Affected Systems

Products:
  • Microsoft Word
  • Microsoft Office
Versions: Microsoft Office 2019, Microsoft Office LTSC 2021, and Microsoft 365 Apps for Enterprise
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects both 32-bit and 64-bit versions. Microsoft 365 Apps auto-update mitigates this vulnerability.

📦 What is this software?

365 Apps by Microsoft

View all CVEs affecting 365 Apps →

Office by Microsoft

View all CVEs affecting Office →

Word by Microsoft

View all CVEs affecting Word →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Malware installation, credential theft, and data compromise through user interaction with malicious documents.

🟢

If Mitigated

Limited impact with proper email filtering, user training, and application sandboxing preventing successful exploitation.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user interaction to open malicious document. No known public exploits at time of advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2021 security updates

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34452

Restart Required: Yes

Instructions:

1. Open Microsoft Word. 2. Go to File > Account > Update Options > Update Now. 3. Restart computer after update completes. For enterprise: Deploy July 2021 security updates through WSUS or Microsoft Endpoint Configuration Manager.

🔧 Temporary Workarounds

Block Office file types via email filtering

all

Configure email gateways to block .doc, .docx, and .rtf attachments from untrusted sources

Enable Protected View

windows

Configure Microsoft Office to open all documents from internet in Protected View

🧯 If You Can't Patch

  • Implement application whitelisting to prevent unauthorized executables from running
  • Deploy Microsoft Office in Application Guard or similar sandboxing environment

🔍 How to Verify

Check if Vulnerable:

Check Office version in Word: File > Account > About Word. If version is before July 2021 updates, system is vulnerable.

Check Version:

In PowerShell: Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | Where-Object {$_.DisplayName -like "*Microsoft Office*"} | Select-Object DisplayName, DisplayVersion

Verify Fix Applied:

Verify Office version includes July 2021 security updates. Check Windows Update history for KB5002045 or later Office security updates.

📡 Detection & Monitoring

Log Indicators:

  • Windows Event Logs: Application crashes of WINWORD.EXE with unusual error codes
  • Process creation from WINWORD.EXE spawning unexpected child processes

Network Indicators:

  • Outbound connections from WINWORD.EXE to external IPs
  • DNS queries for suspicious domains from Office processes

SIEM Query:

source="windows" process_name="WINWORD.EXE" (event_id=1000 OR event_id=1001) | stats count by host

📊 Metadata

CVE ID: CVE-2021-34452
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: July 16, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON