HighCISA KEVExploited in the wildPublic exploit

Microsoft Office Memory Corruption Vulnerability

IdentifiersCVE-2015-2424CWE-119

CVE-2015-2424 is a memory corruption vulnerability in Microsoft Office affecting Microsoft PowerPoint 2007 SP3, Word 2007 SP3, PowerPoint 2010 SP2, Word 2010 SP2, PowerPoint 2013 SP1, Word 2013 SP1, and PowerPoint 2013 RT SP1. According to the provided content, the flaw can be triggered by opening a crafted Office document. Successful exploitation allows a remote attacker to execute arbitrary code, and the issue may also result in denial of service due to memory corruption. The content further indicates the vulnerability was used as a zero-day in targeted phishing campaigns, including by the Sednit/APT28 group, to deliver first-stage malware such as Seduploader.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in arbitrary code execution in the context of the user opening the malicious document. The vulnerability can also cause application instability or denial of service through memory corruption. In the observed threat activity described in the content, exploitation was used to gain an initial foothold on targeted systems and deploy malware for follow-on espionage operations.

Mitigation

If you can’t patch tonight, do this now.

Until patches are applied, reduce exposure by blocking or strictly controlling delivery of Office documents from untrusted sources, especially via email-based phishing. Use Protected View, attachment sandboxing, and mail filtering to inspect or quarantine suspicious Office files. Limit execution of active content and macros where not required, and restrict users from opening unsolicited Word or PowerPoint documents. Network and endpoint controls that detect exploit delivery and post-exploitation payloads can further reduce risk.

Remediation

Patch, then assume compromise.

Apply the Microsoft security updates that address CVE-2015-2424 for the affected Office versions listed in the content. Upgrade unsupported or legacy Office installations where possible, and ensure Word and PowerPoint deployments are brought to patched service-pack and security-update levels.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationExcel Viewerapplication

Microsoft CorporationOfficeapplication

Microsoft CorporationOffice Compatibility Packapplication

Microsoft CorporationPowerpointapplication

Microsoft CorporationWordapplication

Microsoft CorporationWord Viewerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

web archiveNews

Jan 25, 2026

A specific vulnerability cited as one of multiple zero-days leveraged by APT28; the statement does not provide technical details beyond its use as a zero-day.

eset welivesecurity blogNews

Mar 13, 2026

A 2015 Microsoft Office remote code execution vulnerability cited as one of the zero-days exploited by the Sednit group.

eset welivesecurity blogNews

Mar 13, 2026

A Microsoft Office remote code execution vulnerability used by Sednit in targeted phishing attachments; it was a 0-day when used.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence3

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2015-2424

NVD

nvd.nist.gov/vuln/detail/CVE-2015-2424

MITRE CWE · CWE-119

cwe.mitre.org

Patch

docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-070

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-2424