CVERadar
Edition used by more than 30,000 companies in more than 150 countries.
Sign Up For FreeCVE-2022-22004
High Severity|Microsoft
55
SVRS
7.8
CVSSv3
0.02571
EPSS
TAGSNo tags available
VECTOR STRING
CVSS:3.1AV:LAC:LPR:NUI:RS:UC:HI:HA:HE:URL:ORC:C
PUBLICATION DATE2022-02-09
LAST MODIFIED2025-01-02
Deep CVE Analysis in Progress
The system is currently conducting an in-depth analysis of the selected CVE. This includes advanced correlation, vulnerability classification, and cross-referencing with real-time threat intelligence sources. Once the analysis is complete, the page will automatically update with enriched vulnerability data and actionable insights.
Security Intelligence Brief
1. What is this vulnerability and why does it matter?
This vulnerability, identified as CVE-2022-22004, is a Remote Code Execution (RCE) vulnerability affecting Microsoft Office ClickToRun. It is critical because RCE vulnerabilities allow attackers to execute arbitrary code on a vulnerable system, potentially leading to full system compromise, data theft, and further network penetration. The widespread use of Microsoft Office makes this a significant concern for individuals and organizations.
2. What are the CVSS score, severity level, and disclosure details?
The vulnerability has a CVSS v3.1 base score of 7.8, which is classified as High severity.
- CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality Impact (C): High (H)
- Integrity Impact (I): High (H)
- Availability Impact (A): High (H)
3. Which products, vendors, systems, and versions are affected?
The vulnerability affects Microsoft Office products utilizing the Click-to-Run (C2R) component. Specifically, Microsoft Office 2013 Click-to-Run (C2R) for both 32-bit and x64-based systems are affected, for versions prior to 15.0.5415.xxxxxx. Other affected products include:
- Microsoft Office LTSC 2021 for 32-bit and 64-bit editions
- Microsoft SharePoint Foundation 2013 Service Pack 1
- Microsoft Excel 2013 RT Service Pack 1
- Microsoft Outlook 2016 for Mac
- Microsoft Office Web Apps Server 2013 Service Pack 1
- Microsoft Office 2019 for 32-bit and 64-bit editions
- Microsoft Office 2019 for Mac
- Microsoft Office 2013 Service Pack 1 (64-bit editions)
- Microsoft Office LTSC for Mac 2021
- Microsoft Excel 2013 Service Pack 1 (32-bit and 64-bit editions)
- Microsoft Office 2013 RT Service Pack 1
- Microsoft Excel 2016 (32-bit and 64-bit editions)
- Microsoft Office Online Server
- Microsoft SharePoint Server Subscription Edition
- Microsoft SharePoint Enterprise Server 2016
- Microsoft Office 2016 (32-bit and 64-bit editions)
4. What is the technical root cause and attack vector?
The technical root cause is an unspecified flaw within the Microsoft Office ClickToRun component that allows for remote code execution. The attack vector is local, requiring user interaction. Specifically, a local user needs to open a malicious file for the vulnerability to be exploited.
5. How can this vulnerability be exploited?
This vulnerability can be exploited by an attacker who convinces a local user to open a specially crafted malicious file. Upon opening the file, the attacker can then achieve remote code execution on the user's system. This typically involves social engineering techniques to trick the victim into opening the malicious document.
6. What mitigation steps and patches are available?
Microsoft has released security updates to address this vulnerability. Organizations should refer to the official Microsoft Security Update Guide (MSRC) for the specific patches corresponding to their affected Office versions. Applying these patches without delay is strongly recommended.
7. How can vulnerable systems be detected?
Vulnerable systems can be detected by checking the version numbers of Microsoft Office Click-to-Run installations and other affected Office products against the patched versions. Systems running Microsoft Office 2013 Click-to-Run versions earlier than 15.0.5415.xxxxxx are vulnerable. Regular inventory and vulnerability scanning tools that check for installed software versions and applied patches can help identify susceptible systems.
8. What are the indicators of compromise (IOCs)?
While specific IOCs for CVE-2022-22004 are not detailed in the provided data, general indicators of compromise for remote code execution vulnerabilities often include:
- Unusual outbound network traffic from affected systems.
- Suspicious file creations or modifications.
- Unexpected process execution, particularly from Office applications.
- Abnormal user account activity or privilege escalation.
- Presence of unusual or unauthorized network connections.
- Changes to system configurations or installed software.
9. Which threat actors are known to exploit this vulnerability?
As of the provided information, there is no public intelligence indicating that CVE-2022-22004 has been actively exploited in the wild by specific threat actors. However, given its nature as a remote code execution vulnerability in widely used software, it is a high-value target for various malicious actors.
10. What public intelligence references and advisories exist?
Public intelligence references and advisories include:
- National Vulnerability Database (NVD) entry for CVE-2022-22004.
- Microsoft Security Response Center (MSRC) advisory and update guide for CVE-2022-22004.
- Various vulnerability databases and security advisories from vendors like Rapid7.
11. What is the risk assessment and urgency level?
The risk assessment for CVE-2022-22004 is High, with a CVSS v3.1 score of 7.8. The urgency level is significant due to the potential for remote code execution, which can lead to complete system compromise. Although user interaction is required (opening a malicious file), social engineering tactics make this a common and effective attack vector. Organizations should prioritize patching this vulnerability immediately to prevent potential exploitation, especially given that exploitation often follows disclosure rapidly. The Exploit Prediction Scoring System (EPSS) for this vulnerability is 1.89%, placing it in the 83rd percentile, which indicates a moderate likelihood of exploitation within 30 days.
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNTCVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs
CVE Radar
Real-time CVE Intelligence & Vulnerability Management Platform
CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.