CVE-2021-40485: Microsoft Excel Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7.8)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2021-Oct

Released

2021-10-12

Last Updated

2021-10-13

EPSS Score

1.14% (percentile: 78.4%)

FAQ

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? A user needs to be tricked into running malicious files. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector.

Affected Products (15)

Microsoft Office

• Microsoft SharePoint Enterprise Server 2013 Service Pack 1
• Microsoft Office 2019 for 32-bit editions
• Microsoft Office 2019 for 64-bit editions
• Microsoft Office 2019 for Mac
• Microsoft Office Online Server
• Microsoft 365 Apps for Enterprise for 32-bit Systems
• Microsoft 365 Apps for Enterprise for 64-bit Systems
• Microsoft Office LTSC for Mac 2021
• Microsoft Office LTSC 2021 for 64-bit editions
• Microsoft Office LTSC 2021 for 32-bit editions
• Microsoft Excel 2016 (32-bit edition)
• Microsoft Excel 2016 (64-bit edition)
• Microsoft Excel 2013 RT Service Pack 1
• Microsoft Excel 2013 Service Pack 1 (32-bit editions)
• Microsoft Excel 2013 Service Pack 1 (64-bit editions)

Security Updates (7)

• 4493202
• Release Notes
• 5002027
• 5002030
• 5002030
• 5002043
• 5002043

Acknowledgments

Zesen Ye (@wh1tc) and Zhiniang Peng (@edwardzpeng) with Sangfor

Revision History

• 2021-10-12: Information published.
• 2021-10-13: Added an acknowledgement. This is an informational change only.