| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2021-42292 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | This vulnerability is being exploited in the wild. |
| Vulnerable software Subscribe |
Microsoft Office Client/Desktop applications / Office applications Microsoft Excel Client/Desktop applications / Office applications |
| Vendor | Microsoft |
This security bulletin contains one critical risk vulnerability.
EUVDB-ID: #VU58058
Risk: Critical
CVSSv3.1: 8.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2021-42292
CWE-ID:
CWE-20 - Improper Input Validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper input validation when processing Excel files. A remote attacker can create a specially crafted Excel file, trick the victim into opening it and execute arbitrary code on the system.
Note, the vulnerability is being exploited in the wild.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Office: 2013, 2013 RT, 2016, 2019, 2019 for Mac
Microsoft Excel: 2013, 2013 RT Service Pack 1, 2016
CPE2.3http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42292
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.