CVE-2021-27059: Microsoft Office Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7.6)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Actively Exploited

Exploitation Likelihood

Detected

Patch Tuesday

2021-Mar

Released

2021-03-09

Last Updated

2021-03-12

EPSS Score

2.97% (percentile: 86.5%)

CISA KEV

Listed — due 2021-11-17

FAQ

Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector.

Affected Products (7)

Microsoft Office

• Microsoft Office 2016 (32-bit edition)
• Microsoft Office 2016 (64-bit edition)
• Microsoft Office 2010 Service Pack 2 (32-bit editions)
• Microsoft Office 2010 Service Pack 2 (64-bit editions)
• Microsoft Office 2013 RT Service Pack 1
• Microsoft Office 2013 Service Pack 1 (32-bit editions)
• Microsoft Office 2013 Service Pack 1 (64-bit editions)

Security Updates (6)

• 4493225
• 4493225
• 4504703
• 4504703
• 4493228
• 4493228

Acknowledgments

Chi-Yu You and Dhanesh Kizhakkinan of FireEye Inc.

Revision History

• 2021-03-09: Information published.
• 2021-03-12: Added an acknowledgement and changed the Exploited flag to Yes. This is an informational update only.