CVE-2017-11882

Vulnerability updated a month ago (2024-11-29T13:54:21.608Z)
Download STIX
Preview STIX
CVE-2017-11882 is a significant software vulnerability, specifically a flaw in the design or implementation of Microsoft's Equation Editor. This vulnerability has been exploited by various threat actors to create malicious RTF files, most notably by Chinese state-sponsored groups using the "Royal Road" exploit builder. The Royal Road tool allows these groups to craft documents that take advantage of this vulnerability, among others, to compromise systems. Historically, CVE-2017-11882 has been used to disseminate notorious malware families such as Dridex in 2017 and Guloader in 2021. More recently, Zscaler ThreatLabz reported a campaign exploiting this vulnerability to spread the Agent Tesla information-stealing malware. BlackBerry documented over 9,500 instances of Office documents exploiting this issue since the start of 2024, particularly in organizations with legacy systems often found in ports, maritime facilities, and other critical infrastructure. The threat posed by outdated vulnerabilities like CVE-2017-11882 continues to be discussed by security researchers, including those at Check Point Research. In addition, this vulnerability has been leveraged in various campaigns by TA558, tracked by Palo Alto Networks, Cisco Talos, and Uptycs. These campaigns typically involve malicious Microsoft Word document attachments or remote template URLs to download and install malware, further highlighting the enduring risk associated with this vulnerability.
Description last updated: 2024-08-14T08:38:47.361Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Vulnerability
Microsoft
Tesla
Phishing
Exploit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Agent Tesla Malware is associated with CVE-2017-11882. Agent Tesla is a well-known malware that primarily targets systems through phishing attacks, exploiting an outdated Microsoft Office vulnerability (CVE-2017-11882). This malicious software is designed to infiltrate computer systems, often without the user's knowledge, and can steal personal informatUnspecified
5
The Formbook Malware is associated with CVE-2017-11882. Formbook is a type of malware, malicious software designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Formbook has been linked with other forms oUnspecified
4
The GuLoader Malware is associated with CVE-2017-11882. GuLoader is a potent malware that has been causing significant cybersecurity concerns. It operates by infecting systems through suspicious downloads, emails, or websites and then proceeds to exploit the system, often stealing personal information, disrupting operations, or holding data hostage for rUnspecified
2
The Lokibot Malware is associated with CVE-2017-11882. LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal informationUnspecified
2
The PowerShower Malware is associated with CVE-2017-11882. PowerShower is a malware variant that emerged as a significant threat due to its ability to exploit and damage computer systems. It was first observed in attacks against European targets in October 2018, where it exploited the CVE-2017-11882 vulnerability. The malware, written in PowerShell, was dowUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability CVE-2018-0802 is associated with CVE-2017-11882. Unspecified
2
The CVE-2017-0199 Vulnerability is associated with CVE-2017-11882. CVE-2017-0199 is a software vulnerability that allows for remote code execution against older versions of Microsoft Office and Windows. This flaw in software design or implementation has been a popular vector of attack, with more than 5,600 malware samples exploiting the issue within a year, includiUnspecified
2
Source Document References
Information about the CVE-2017-11882 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
16 days ago
InfoSecurity-magazine
24 days ago
DARKReading
2 months ago
Securelist
2 months ago
Securelist
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
CERT-EU
a year ago
DARKReading
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Fortinet
7 months ago
Securityaffairs
7 months ago