Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Microsoft Office RTF Memory Corruption Remote Code Execution

IdentifiersCVE-2015-1641CWE-119

CVE-2015-1641 is a memory corruption vulnerability in Microsoft Word and related Microsoft Office components that process Rich Text Format (RTF) content. Affected products listed in the provided content include Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1. The flaw can be triggered by a specially crafted RTF document, leading to memory corruption during document parsing/handling and allowing arbitrary code execution. The content refers to this issue as the "Microsoft Office Memory Corruption Vulnerability."

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote attackers to execute arbitrary code in the context of the affected application and user. In practical intrusion activity described in the content, malicious RTF attachments exploiting CVE-2015-1641 were used to launch malware, drop DLL payloads, and install first-stage implants or droppers. This can enable full compromise of the victim workstation, follow-on malware deployment, persistence, credential theft, espionage, and lateral movement, subject to the privileges of the user and subsequent attacker actions.

Mitigation

If you can’t patch tonight, do this now.

Until patching is completed, reduce exposure by blocking or quarantining unsolicited RTF attachments, disabling or restricting opening of RTF documents from untrusted sources, using Protected View or equivalent document isolation controls where available, and limiting use of vulnerable Office/Word processing components on exposed systems such as SharePoint Word Automation Services and Office Web Apps. Email filtering, attachment sandboxing, application allowlisting, and least-privilege user configurations can reduce exploitation success and post-exploitation impact.

Remediation

Patch, then assume compromise.

Apply Microsoft's security updates for all affected Office, Word, SharePoint Word Automation Services, Office Compatibility Pack, Office Web Apps Server, and Word for Mac versions identified in the advisory context. The provided content specifically states to update affected Microsoft products with the latest security patches. Organizations should also retire unsupported/end-of-life Office components where possible.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationOfficeapplication
Microsoft CorporationOffice Compatibility Packapplication
Microsoft CorporationOffice Web Appsapplication
Microsoft CorporationOutlookapplication
Microsoft CorporationSharepoint Serverapplication
Microsoft CorporationWordapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
citizenlabNews
Nov 17, 2016
It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community

A newer (but still patched) Microsoft Office / Word RTF vulnerability used in spearphishing attachments to trigger execution of a dropper and install the KeyBoy backdoor via a similar infection chain to the earlier attempt.

Read more
mitre attackNews
Jan 25, 2026
Exploitation for Client Execution, Technique T1203 - Enterprise | MITRE ATT&CK®

A Microsoft Office vulnerability used for code execution.

Read more
mitre attackNews
Jan 25, 2026
Confucius, Confucius APT, Group G0142 | MITRE ATT&CK®

A Microsoft Office vulnerability reportedly exploited by the Confucius threat actor for client-side code execution via malicious documents.

Read more
mitre attackNews
Jan 25, 2026
Exploitation for Client Execution, Technique T1203 - Enterprise | MITRE ATT&CK®

A Microsoft Office vulnerability used for code execution via malicious documents.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence7

Every observed campaign linking this CVE to a named adversary.

Associated malware4

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2015-1641
NVD
nvd.nist.gov/vuln/detail/CVE-2015-1641
MITRE CWE · CWE-119
cwe.mitre.org
Patch
docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-033
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-1641