Critical

Arbitrary DLL Load in Kingsoft WPS Office promecefpluginhost.exe

IdentifiersCVE-2024-7263CWE-22· Improper Limitation of a Pathname…

CVE-2024-7263 is an improper path validation vulnerability in promecefpluginhost.exe in Kingsoft WPS Office for Windows. Affected versions are 12.2.0.13110 through 12.2.0.17115, exclusive. According to the provided content, the issue allows an attacker to cause WPS Office to load an arbitrary Windows library because a parameter was not properly sanitized. The content further states that the patch released in version 12.1.0.17119 for CVE-2024-7262 was insufficiently restrictive, and that another parameter remained improperly validated, enabling arbitrary Windows library execution. The associated detection content characterizes exploitation as a DLL hijack involving the ksoqing custom protocol handler and remote library loading by promecefpluginhost.exe.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to force WPS Office to load and execute an arbitrary Windows DLL in the context of the targeted application. This can result in arbitrary code execution, malware deployment, persistence establishment, and follow-on compromise of the affected user context. In practical intrusion scenarios, the vulnerability can be used as an initial execution vector for payload delivery, including backdoors and downloaders.

Mitigation

If you can’t patch tonight, do this now.

Until patching is completed, reduce exposure by restricting or monitoring invocation of the ksoqing custom protocol handler, blocking untrusted remote library paths and suspicious DLL loads by promecefpluginhost.exe, and applying application control to prevent unsigned or untrusted DLL execution. Additional mitigations include limiting user interaction with untrusted documents or links that may trigger the vulnerable code path and monitoring for WPS Office processes loading libraries from unusual local or remote locations.

Remediation

Patch, then assume compromise.

Upgrade Kingsoft WPS Office for Windows to a version not affected by CVE-2024-7263. The provided content identifies affected versions as 12.2.0.13110 through 12.2.0.17115, exclusive, and notes that the earlier fix for CVE-2024-7262 was incomplete. Organizations should ensure they deploy the vendor update that specifically addresses CVE-2024-7263 rather than relying solely on the prior mitigation for CVE-2024-7262.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

KingsoftWps Officeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

foresiet blogNews

Nov 6, 2025

APT-C-60 Exploits Zero-Day Vulnerabilities: Inside the SpyGlace Loader, COM Hijacking, and C2 Infrastructure

A second vulnerability referenced as part of a related exploit chain associated with the same productivity-suite targeting; the content does not provide technical details beyond its linkage to the chain.

elastic security labsNews

Mar 18, 2026

Prebuilt rule reference | Elastic Security [8.19] | Elastic

A WPS Office vulnerability that can be exploited via DLL hijacking (abusing the ksoqing custom protocol handler) leading to loading of a remote/malicious library by a WPS Office component.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2024-7263

NVD

nvd.nist.gov/vuln/detail/CVE-2024-7263

MITRE CWE · CWE-22

Improper Limitation of a Pathname to a…

Vendor Advisory

wps.com/whatsnew/pc/20240422