CVE-2022-21842
📋 TL;DR
CVE-2022-21842 is a remote code execution vulnerability in Microsoft Word that allows attackers to execute arbitrary code by tricking users into opening specially crafted documents. This affects users of Microsoft Word on Windows systems. Successful exploitation requires user interaction but can lead to full system compromise.
💻 Affected Systems
- Microsoft Word
- Microsoft Office
📦 What is this software?
Word by Microsoft
Word by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with attacker gaining the same privileges as the logged-in user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Malware installation, credential theft, or data exfiltration through malicious documents delivered via phishing or compromised websites.
If Mitigated
Limited impact with proper email filtering, user training, and application sandboxing preventing successful exploitation.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious document. No public proof-of-concept has been released as of knowledge cutoff.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: January 2022 security updates
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21842
Restart Required: Yes
Instructions:
1. Open Microsoft Word. 2. Go to File > Account > Update Options > Update Now. 3. Alternatively, use Windows Update for system-wide Office updates. 4. Restart affected systems after patching.
🔧 Temporary Workarounds
Block RTF documents
windowsPrevent Word from opening RTF documents which may be used in exploitation
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security" /v "FileBlock\RtfFiles" /t REG_DWORD /d 2 /f
Enable Protected View
windowsForce documents from the internet to open in Protected View
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" -Name "DisableInternetFilesInPV" -Value 0
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized Word execution
- Deploy email filtering to block suspicious attachments and enable macro blocking
🔍 How to Verify
Check if Vulnerable:
Check Word version via File > Account > About Word. Vulnerable versions include builds before January 2022 updates.Check Version:
powershell Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | Where-Object {$_.DisplayName -like "*Microsoft Office*"} | Select-Object DisplayName, DisplayVersionVerify Fix Applied:
Verify Word version shows build number 14931.20132 or later for Microsoft 365, or verify January 2022 security updates are installed via Windows Update history.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing Word crashes with suspicious parameters
- Antivirus alerts for malicious Office documents
- Process creation logs showing unexpected child processes from WINWORD.EXE
Network Indicators:
- Outbound connections from Word to suspicious IPs
- DNS queries for command and control domains following document opening
SIEM Query:
source="windows" event_id=1 (process_name="WINWORD.EXE" AND (command_line="*\"*" OR parent_process!="explorer.exe"))