Microsoft Office Remote Code Execution Vulnerability
CVE-2017-8570 is a Microsoft Office remote code execution vulnerability caused by the way Microsoft Office handles objects in memory. The provided content explicitly describes it as an Office RCE issue and associates it with malicious Office document delivery chains and exploit kits such as ThreadKit. In observed campaigns, crafted Office documents embedded exploits for CVE-2017-8570 and were used to trigger execution during document opening, including delivery chains that dropped packager objects into temporary folders, executed a scriptlet file, and then launched batch files to run the payload. The content does not identify a specific vulnerable function, but it does indicate a memory-handling flaw in Office that can be triggered via a malicious document.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository contains a Bash script ('auto') and a README.md file. The script automates the process of generating a malicious Microsoft Office PPSX file exploiting CVE-2017-8570. The attacker sets their own IP address and port, and the script uses msfvenom to generate a Meterpreter reverse shell payload. It clones a toolkit from GitHub, prepares the payload, and sets up a Metasploit handler. The attacker is instructed to send the generated Invoice.ppsx file to the victim. When the victim opens the file, it triggers a download of the Meterpreter payload via PowerShell, resulting in a reverse shell connection to the attacker's machine. The main attack vector is phishing via a malicious Office document. The script is operational and automates the exploit setup, but relies on external tools and manual delivery of the malicious file.
This repository provides a Python tool ('generate_ppsx.py') that generates a malicious PowerPoint Show (.ppsx) file and an associated XML file to exploit CVE-2017-8570, a vulnerability in Microsoft Office. The exploit works by embedding a reference to a remote XML file in the .ppsx file. The XML file, when accessed by PowerPoint, triggers PowerShell to download and execute a remote payload (such as an executable or script) from an attacker-controlled server. The README.md provides detailed usage instructions, including example command lines and required setup steps. The exploit requires the attacker to host both the payload and the XML file on a web server, and for the victim to open the crafted .ppsx file in PowerPoint. The repository contains two files: a README.md with instructions and a Python script that automates the creation of the exploit files. The main attack vector is via a malicious file, and the exploit leverages remote URLs for payload delivery and execution.
This repository is a Proof of Concept exploit for CVE-2017-8570 (the 'Composite Moniker' vulnerability in Microsoft Office). The main exploit script, 'packager_composite_moniker.py', generates a malicious RTF file that embeds a scriptlet (.sct) file using the Packager.dll trick. When a vulnerable version of Microsoft Office opens the generated RTF, it drops the SCT file into the %TEMP% directory (or a fake path) and executes it, leading to arbitrary code execution. The provided 'calc.sct' payload demonstrates code execution by launching calc.exe. The repository also includes a YARA rule for detection and an example RTF file. The exploit is a POC and does not include weaponized features such as payload customization or C2 communication. The main attack vector is via malicious file delivery (RTF document).
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Microsoft Office remote code execution vulnerability included in the most exploited list.
A Microsoft Office vulnerability exploited by Agent Tesla for client-side code execution during malware delivery.
Microsoft Office remote code execution vulnerability added to ThreadKit and used in phishing attachments; described as part of exploit chains that drop scriptlets and batch files to execute malware.
A Microsoft Office vulnerability exploited via malicious documents to achieve code execution.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.