CVE-2021-42292
Microsoft Excel Security Feature Bypass Vulnerability
Vexday Risk Score
83Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 7.8EPSS 31.9%KEV simPoC públicaNuclei —Metasploit —Patch —
Lifecycle
09 Nov 2021Public PoC
10 Nov 2021Published on NVD
17 Nov 2021Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short
Microsoft Excel has a security bypass flaw that allows an attacker to bypass built-in security protections through a specially crafted file. This weakness could let malicious content run without proper authorization.
Technical detail
A security feature bypass vulnerability in Microsoft Excel permits an attacker to circumvent protection mechanisms via a malformed or specially crafted spreadsheet. The attack requires user interaction (opening a malicious file), but upon successful exploitation, it can lead to unauthorized code execution or access to sensitive data within the user's context.
Summary generated and translated by AI from the official description.
Microsoft Excel Security Feature Bypass Vulnerability
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Affected products
Microsoft · Microsoft 365 Apps for EnterpriseMicrosoft · Microsoft Excel 2013 Service Pack 1Microsoft · Microsoft Excel 2016Microsoft · Microsoft Office 2013 Service Pack 1Microsoft · Microsoft Office 2016Microsoft · Microsoft Office 2019Microsoft · Microsoft Office 2019 for MacMicrosoft · Microsoft Office LTSC 2021Microsoft · Microsoft Office LTSC for Mac 2021public PoCs found — 1
githubgithub.com/corelight/CVE-2021-42292★ 18⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →