CVE-2024-7262
📋 TL;DR
This vulnerability allows attackers to load arbitrary Windows libraries through improper path validation in WPS Office's promecefpluginhost.exe component. Attackers can exploit this via a malicious spreadsheet document, potentially leading to code execution. Users running affected WPS Office versions on Windows are at risk.
💻 Affected Systems
- Kingsoft WPS Office
📦 What is this software?
Wps Office by Kingsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary code execution, enabling data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Malware installation or credential theft when users open weaponized spreadsheet documents, often delivered via phishing.
If Mitigated
Limited impact with proper endpoint protection, user training, and restricted execution privileges.
🎯 Exploit Status
Weaponized as single-click exploit in deceptive spreadsheet documents. Requires user to open malicious file.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.2.0.16412 and later
Vendor Advisory: https://www.wps.com/whatsnew/pc/20240422/
Restart Required: Yes
Instructions:
1. Open WPS Office. 2. Click Help > Check for Updates. 3. Install available updates. 4. Restart WPS Office. Alternatively, download latest version from official WPS website.
🔧 Temporary Workarounds
Disable promecefpluginhost.exe via AppLocker
windowsBlock execution of vulnerable component using Windows AppLocker policies.
New-AppLockerPolicy -RuleType Path -Action Deny -Path "C:\Program Files\Kingsoft\WPS Office\*\office6\promecefpluginhost.exe" -User Everyone
Restrict macro execution
windowsConfigure WPS Office to disable macros by default to prevent malicious document execution.
🧯 If You Can't Patch
- Implement application whitelisting to block unauthorized executables.
- Deploy endpoint detection and response (EDR) to monitor for suspicious library loading behavior.
🔍 How to Verify
Check if Vulnerable:
Check WPS Office version via Help > About WPS Office. If version is between 12.2.0.13110 and 12.2.0.16412 (exclusive), system is vulnerable.Check Version:
wmic product where "name like 'WPS Office%'" get versionVerify Fix Applied:
Verify version is 12.2.0.16412 or higher in Help > About WPS Office.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing promecefpluginhost.exe loading unexpected DLLs
- Process creation events for promecefpluginhost.exe with suspicious parent processes
Network Indicators:
- Outbound connections from WPS Office processes to suspicious domains after opening documents
SIEM Query:
source="windows" AND process_name="promecefpluginhost.exe" AND (event_id=7 OR event_id=11)