Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Microsoft Office Malformed EPS File Vulnerability

IdentifiersCVE-2015-2545CWE-20

CVE-2015-2545 is a remote code execution vulnerability in Microsoft Office’s handling of Encapsulated PostScript (EPS) image content, specifically described in the provided content as an EPS parsing flaw in the EPSIMP32.FLT module. Affected products include Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, and 2013 RT SP1. The vulnerability is triggered when Office processes a specially crafted EPS image embedded in a document, including DOC/DOCX and Web Archive/MHTML-based delivery formats observed in the wild. The supplied reporting states that exploitation used malformed PostScript/EPS content and was widely weaponized in targeted spear-phishing campaigns. Successful exploitation results in arbitrary code execution in the context of the user opening the malicious Office document.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote attackers to execute arbitrary code on the victim system. In observed campaigns, the flaw was used for initial compromise via spear-phishing documents and then chained with additional malware or privilege-escalation exploits to install backdoors, loaders, and reconnaissance tooling. The practical impact includes full compromise of the current user context, malware deployment, persistence, data theft, and potential follow-on elevation to SYSTEM when paired with local privilege-escalation vulnerabilities.

Mitigation

If you can’t patch tonight, do this now.

Until patching is fully deployed, reduce exposure by blocking or filtering Office documents containing embedded EPS content, especially from email and web downloads; disable or restrict EPS rendering/processing in Office where possible; and enforce protected-view, attachment sandboxing, and mail gateway detonation for inbound Office documents. Given the strong association with spear-phishing, user-facing controls such as attachment isolation and macro/document execution restrictions can further reduce risk, although this vulnerability does not require macros. Network and endpoint monitoring should focus on Office spawning abnormal child processes or loading follow-on payloads after document open.

Remediation

Patch, then assume compromise.

Apply Microsoft security update MS15-099, which patched CVE-2015-2545 on 2015-09-08. Upgrade affected Microsoft Office installations to patched builds and ensure unsupported or unpatched Office versions are retired. Because exploitation was delivered through malicious embedded EPS content in Office documents, organizations should also review Office/EPS handling settings and remove or disable legacy components where operationally feasible.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationOfficeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
ptsecurity globalNews
Oct 26, 2024
Analytics

A specific vulnerability exploited via a malicious MHTML document to deliver the TidePool malware used by APT15.

Read more
securelistNews
Dec 14, 2016
Kaspersky Security Bulletin 2016. Review of the year. Overall statistics for 2016

Arbitrary code execution via a specially crafted EPS image file; exploited by multiple APT groups despite being patched in 2015.

Read more
securelistNews
May 25, 2016
CVE-2015-2545: overview of current threats

A Microsoft Office remote code execution vulnerability in the EPS (Encapsulated PostScript) parsing/handling component (EPSIMP32.FLT), triggered via specially crafted embedded EPS content in Office documents, enabling arbitrary code execution and noted for bypassing ASLR/DEP in exploit implementations.

Read more
eset welivesecurity blogNews
Mar 18, 2026
Sednit adds two zero-day exploits using 'Trump's attack on Syria' as a decoy

A previously documented Microsoft Office EPS-related vulnerability referenced for similarity/comparison to the CVE-2017-0262 exploit chain; not described as used in this campaign.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence10

Every observed campaign linking this CVE to a named adversary.

Associated malware8

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2015-2545
NVD
nvd.nist.gov/vuln/detail/CVE-2015-2545
MITRE CWE · CWE-20
cwe.mitre.org
Patch
docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-099
Third Party Advisory
blog.morphisec.com/exploit-bypass-emet-cve-2015-2545
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-2545