CVE-2022-26081 – This vulnerability in WPS Office installer allo... (How to Fix)

Q: What is the severity of CVE-2022-26081?

CVE-2022-26081 has a CVSS score of 7.8 (HIGH). This vulnerability in WPS Office installer allows attackers to execute arbitrary code by exploiting insecure DLL loading. It affects users running WPS Office Version 10.8.0.5745 installer on Windows systems. The attacker needs to place a malicious shcore.dll in a location the installer searches before legitimate system directories.

📋 TL;DR

This vulnerability in WPS Office installer allows attackers to execute arbitrary code by exploiting insecure DLL loading. It affects users running WPS Office Version 10.8.0.5745 installer on Windows systems. The attacker needs to place a malicious shcore.dll in a location the installer searches before legitimate system directories.

💻 Affected Systems

Products:

WPS Office

Versions: Version 10.8.0.5745

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the installer component, not the main WPS Office application. Requires attacker to place malicious DLL in specific directory before installer runs.

📦 What is this software?

Wps Office by Kingsoft

View all CVEs affecting Wps Office →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the user running the installer, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation where an attacker with initial access can execute code with higher privileges, install malware, or pivot to other systems.

🟢

If Mitigated

Limited impact with proper application whitelisting, restricted user privileges, and security controls preventing unauthorized DLL execution.

🌐 Internet-Facing: LOW - This requires local access or ability to place files on the target system before installer execution.

🏢 Internal Only: MEDIUM - Internal attackers or malware with initial foothold could exploit this for privilege escalation or lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access to plant malicious DLL and timing to execute when installer runs. Attack vector is local, not remote.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 10.8.0.5745

Vendor Advisory: https://support.kingsoft.jp/support-info/weakness.html

Restart Required: No

Instructions:

1. Update WPS Office to latest version. 2. If using version 10.8.0.5745, download and install newer version from official WPS Office website. 3. Verify installation completes successfully.

🔧 Temporary Workarounds

Restrict installer execution

windows

Limit who can run WPS Office installer and from which directories

Enable DLL Safe Search Mode

windows

Configure Windows to prevent insecure DLL loading from current directory

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f

🧯 If You Can't Patch

Run installer only from trusted, controlled directories where attackers cannot place files
Use application control/whitelisting to prevent unauthorized DLL execution

🔍 How to Verify

Check if Vulnerable:

Check WPS Office version: Open WPS Office → Help → About WPS Office. If version is 10.8.0.5745, you are vulnerable.

Check Version:

wmic product where name="WPS Office" get version

Verify Fix Applied:

After updating, verify version is newer than 10.8.0.5745 in Help → About WPS Office.

📡 Detection & Monitoring

Log Indicators:

Process creation events for WPS Office installer loading DLLs from unusual locations
File creation events for shcore.dll in directories accessible to users

Network Indicators:

Not applicable - local vulnerability

SIEM Query:

Process creation where process_name contains "wps" AND process_command_line contains "install" AND loaded_module contains "shcore.dll"

📊 Metadata

CVE ID: CVE-2022-26081

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: March 17, 2022

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/en/jp/JVN21234459/ Third Party Advisory
https://support.kingsoft.jp/support-info/weakness.html Vendor Advisory
https://jvn.jp/en/jp/JVN21234459/ Third Party Advisory
https://support.kingsoft.jp/support-info/weakness.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26081, you might also want to check these: