CVE-2021-40399 – This vulnerability allows remote code execution... (How to Fix)

Q: What is the severity of CVE-2021-40399?

CVE-2021-40399 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote code execution through a maliciously crafted XLS file in WPS Office Spreadsheets. Attackers can exploit a use-after-free condition to execute arbitrary code on the victim's system. Users of WPS Office version 11.2.0.10351 are affected.

📋 TL;DR

This vulnerability allows remote code execution through a maliciously crafted XLS file in WPS Office Spreadsheets. Attackers can exploit a use-after-free condition to execute arbitrary code on the victim's system. Users of WPS Office version 11.2.0.10351 are affected.

💻 Affected Systems

Products:

WPS Office
WPS Spreadsheets (ET)

Versions: 11.2.0.10351

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of the affected version are vulnerable when opening XLS files. No special configuration required for exploitation.

📦 What is this software?

Wps Office by Wps

View all CVEs affecting Wps Office →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the victim's computer, enabling data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Remote code execution leading to malware installation, credential theft, or system disruption when users open malicious XLS files.

🟢

If Mitigated

Limited impact with proper email filtering, user awareness training, and application sandboxing preventing successful exploitation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction to open a malicious file. The vulnerability is well-documented with technical details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.2.0.10352 or later

Vendor Advisory: https://security.wps.cn/notices/28

Restart Required: No

Instructions:

1. Open WPS Office
2. Navigate to Help > Check for Updates
3. Install available updates
4. Verify version is 11.2.0.10352 or newer

🔧 Temporary Workarounds

Disable automatic file opening

all

Configure WPS Office to not automatically open XLS files from untrusted sources

File extension filtering

all

Block .XLS files at email gateways and web proxies

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of unauthorized code
Use Microsoft Office or alternative spreadsheet software temporarily

🔍 How to Verify

Check if Vulnerable:

Check WPS Office version in Help > About WPS Office. If version is exactly 11.2.0.10351, system is vulnerable.

Check Version:

wps --version (Linux) or check Help > About in GUI

Verify Fix Applied:

Verify version is 11.2.0.10352 or newer in Help > About WPS Office.

📡 Detection & Monitoring

Log Indicators:

Multiple failed attempts to open XLS files
Unexpected WPS Office crashes with memory access violations
Process creation from WPS Office with unusual command lines

Network Indicators:

Inbound emails with XLS attachments from unknown senders
Downloads of XLS files from suspicious domains

SIEM Query:

process_name:"wps.exe" AND (event_id:1000 OR event_id:1001) AND file_extension:".xls"

📊 Metadata

CVE ID: CVE-2021-40399

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: May 12, 2022

Last Updated: November 21, 2024

🔗 References

https://security.wps.cn/notices/28 Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1412 Third Party Advisory
https://security.wps.cn/notices/28 Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1412 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40399, you might also want to check these: