HighCISA KEVExploited in the wildPublic exploit

RTF Stack Buffer Overflow in Microsoft Office

IdentifiersCVE-2010-3333CWE-121

CVE-2010-3333 is a stack-based buffer overflow in Microsoft Office's handling of crafted Rich Text Format (RTF) data. A malicious RTF document, including one disguised with a .doc extension, can trigger memory corruption when opened in affected versions of Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac. The vulnerability is widely referred to as the "RTF Stack Buffer Overflow Vulnerability." Successful exploitation allows arbitrary code execution in the context of the user opening the document, and the flaw was extensively used in spear-phishing campaigns to deliver malware such as Hacking Team RCS and other espionage payloads.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enables remote code execution on the victim system when the malicious document is opened. In observed campaigns, attackers used the flaw to install surveillance malware, download multi-stage payloads, steal credentials and documents, and establish persistent access. Because exploitation occurs in the context of the current user, impact depends on that user's privileges; on typical desktop systems this is sufficient for full compromise of user data and follow-on malware installation.

Mitigation

If you can’t patch tonight, do this now.

Until patching is complete, reduce exposure by blocking or quarantining inbound RTF attachments, especially from untrusted sources; disable or restrict automatic opening of RTF content in Office workflows; use Protected View, application isolation, and mail sandboxing where available; and prevent users from opening unsolicited Office documents. Additional mitigations include attachment detonation, content disarm and reconstruction, and least-privilege user configurations to limit post-exploitation impact.

Remediation

Patch, then assume compromise.

Apply Microsoft's security updates for CVE-2010-3333 and upgrade unsupported Office versions to supported, fully patched releases. Replace or retire affected Office installations on both Windows and macOS, including vulnerable Open XML File Format Converter for Mac deployments. Organizations should verify patch coverage across legacy Office versions that remained common targets in spear-phishing campaigns.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 3 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 3 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationOfficeapplication

Microsoft CorporationOpen Xml File Format Converterapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

17 SOURCESView more in app

citizenlabNews

Jan 20, 2026

Backdoors are Forever: Hacking Team and the Targeting of Dissent

A Microsoft Office RTF stack-based buffer overflow vulnerability that allows remote code execution via crafted RTF data and was used to deliver Hacking Team RCS malware against Ahmed Mansoor.

citizenlabNews

Dec 12, 2025

Mapping Hacking Team’s “Untraceable” Spyware

A Microsoft Office RTF parsing vulnerability used in a malicious document to install Hacking Team RCS against Ahmed Mansoor.

citizenlabNews

Dec 11, 2025

Shifting Tactics: Tracking Changes in Years-Long Espionage Campaign Against Tibetans - The Citizen Lab

A well-known vulnerability used in document-based exploit lures in espionage campaigns targeting Tibetan groups.

sentinelone labsNews

Oct 9, 2025

Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years | SentinelOne

An old Microsoft Office/RTF-handling vulnerability used by Aoqin Dragon in weaponized lure documents for initial compromise.

+13 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence11

Every observed campaign linking this CVE to a named adversary.

Associated malware19

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2010-3333

NVD

nvd.nist.gov/vuln/detail/CVE-2010-3333

MITRE CWE · CWE-121

cwe.mitre.org

Patch

docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-087

Third Party Advisory

us-cert.gov/cas/techalerts/TA10-313A.html

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-3333