CVE-2024-7262: 
Kingsoft WPS Office vulnerability analysis and mitigation

The vulnerability (CVE-2024-7262) affects Kingsoft WPS Office for Windows versions ranging from 12.2.0.13110 to 12.2.0.16412 (exclusive). It involves improper path validation in promecefpluginhost.exe that allows an attacker to load an arbitrary Windows library. The vulnerability was discovered being actively exploited in the wild through a weaponized single-click exploit delivered via a deceptive spreadsheet document (ESET Research, NVD).

The vulnerability stems from improper path validation in the promecefpluginhost.exe component. When a user clicks on a specially crafted hyperlink using the ksoqing protocol handler, the application fails to properly validate the JSCefServicePath parameter, allowing an attacker to load arbitrary libraries. The vulnerability received a CVSS 3.1 base score of 7.8 (HIGH) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and a CVSS 4.0 score of 9.3 (CRITICAL) (ESET Research).

The vulnerability allows attackers to achieve code execution on targeted systems through a single click. The exploit can be triggered via a deceptive spreadsheet document, and notably, it can also be activated through the preview pane in Windows Explorer, making it particularly dangerous. The widespread use of WPS Office, with over 500 million active users worldwide, makes this vulnerability especially significant (ESET Research).

Kingsoft has released patches to address this vulnerability. Users are strongly advised to update to WPS Office version 12.2.0.16412 or later. The vulnerability has been added to CISA's Known Exploited Vulnerabilities Catalog, requiring federal agencies to apply vendor mitigations by September 24, 2024 (CISA, WPS Update).