Login Sign Up

CVE-2022-43616

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious EMF image files in CorelDRAW Graphics Suite. Attackers can achieve remote code execution in the context of the current user process. All users of affected CorelDRAW versions are vulnerable.

💻 Affected Systems

Products:
  • Corel CorelDRAW Graphics Suite
Versions: 23.5.0.506 and potentially earlier versions
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All installations with EMF file parsing enabled are vulnerable. No special configuration required.

📦 What is this software?

Coreldraw by Corel

View all CVEs affecting Coreldraw →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Malware installation or data exfiltration when users open malicious EMF files from untrusted sources.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially only application crash.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious files, but these can be delivered via email, downloads, or compromised websites.
🏢 Internal Only: LOW - Primarily requires external malicious content, though internal spear-phishing could still be effective.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction but is technically straightforward once malicious EMF file is crafted. ZDI has confirmed the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to latest version beyond 23.5.0.506

Vendor Advisory: https://www.coreldraw.com/en/pages/security-advisories/

Restart Required: Yes

Instructions:

1. Open CorelDRAW. 2. Go to Help > Check for Updates. 3. Follow prompts to install latest version. 4. Restart computer after installation.

🔧 Temporary Workarounds

Disable EMF file association

windows

Prevent CorelDRAW from automatically opening EMF files

Control Panel > Default Programs > Associate a file type or protocol with a program > Change .emf to open with different application

Application sandboxing

windows

Run CorelDRAW in restricted environment

🧯 If You Can't Patch

  • Implement strict email filtering to block EMF attachments
  • Educate users to never open EMF files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check CorelDRAW version in Help > About. If version is 23.5.0.506 or earlier, system is vulnerable.

Check Version:

In CorelDRAW: Help > About CorelDRAW

Verify Fix Applied:

Verify version is updated beyond 23.5.0.506 in Help > About.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes when processing EMF files
  • Unusual process spawning from CorelDRAW

Network Indicators:

  • Downloads of EMF files from suspicious sources
  • Outbound connections after EMF file processing

SIEM Query:

EventID=1000 Application Error with CorelDRAW.exe OR Process creation from CorelDRAW.exe with suspicious parent

📊 Metadata

CVE ID: CVE-2022-43616
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-125
Published: March 29, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-43616, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)