Threats / Microsoft / CVE-2017-11882
CVE-2017-11882
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Microsoft Office vulnerability
Microsoft Office memory corruption vulnerability enabling remote code execution with user privileges. Actively exploited in ransomware campaigns.
Verdict
Today item, not a backlog item.
Critical remote code execution flaw in Office allowing attackers to execute arbitrary code through malformed documents. High real-world exploitation activity including ransomware deployment.
CISA KEV Yes · 2021-11-033Ransomware use Flagged3EPSS 0.99945 (verify live)4Exploit Weaponized · public PoC5
01
Is it exploitable?
— the evidence, ranked above the scoreExploit available
Fully weaponized — public exploit code is cataloged for this vulnerability.We link the existence of the exploit; we do not host or redistribute payloads.
Reported exploitation
223 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), flagged for known ransomware use.
Probability (EPSS)
EPSS 0.99945 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Microsoft, Office. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-119 Memory Buffer Bounds Error — weakness family: Memory safety.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
Lower-confidence links — not headline attribution
These are not confirmed attribution and do not name this record’s headline actor. Each is tier-labeled and cited; an inferred link is a structural ATT&CK chain (a group uses a tool whose reference cites this CVE), never a statement that the source names the group.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
Craft a malicious Office document exploiting the memory corruption flaw to achieve code execution when opened by a target user.
Business
Endpoint compromise and potential lateral movement within corporate networks via user-opened documents.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
Deliver the weaponized document via email or file-sharing mechanisms to maximize user interaction.
Business
Mass infection vectors enabling rapid ransomware deployment across organizational infrastructure.
3
Lateral reach — past segmentation narrative 3
Attacker
Execute ransomware payload with user-level privileges to encrypt files and demand payment.
Business
Operational disruption, data loss, financial extortion, and reputational damage from ransomware incidents.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05