A high-severity vulnerability has been identified in Microsoft Office Word that could allow an attacker to take control of an affected system. An attacker could exploit this vulnerability by tricking a user into opening a specially crafted Word document, which would then allow them to execute malicious code with the same permissions as the user. This could lead to data theft, installation of malware, or further compromise of the organization's network.

This is a "Use After Free" vulnerability. The flaw exists in how Microsoft Word handles memory when processing certain document elements. An attacker can craft a malicious Word file that causes the application to free a portion of memory but later attempt to reference it. By placing their own malicious code into this freed memory space before it is reused, the attacker can trick the application into executing their code when the pointer is dereferenced. Successful exploitation requires the victim to open the malicious file, typically delivered via email or a web download, leading to local code execution in the context of the logged-in user.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation could have a significant negative impact on the business. An attacker who gains code execution on a user's workstation can access, modify, or exfiltrate sensitive data stored on the machine, including corporate documents, credentials, and personal information. Furthermore, the compromised system could be used as a pivot point for lateral movement within the corporate network, potentially leading to a wider breach, ransomware deployment, or persistent access for the attacker. Given the ubiquity of Microsoft Word in business environments, the attack surface is extensive.

Immediate Action: Apply the security updates released by Microsoft immediately across all affected workstations and servers. Concurrently, security teams should actively monitor for any signs of exploitation attempts and conduct a thorough review of relevant system, EDR, and application access logs for anomalous activity related to Microsoft Word processes.

Proactive Monitoring: Security teams should monitor for unusual child processes spawning from winword.exe (e.g., cmd.exe, powershell.exe). Endpoint Detection and Response (EDR) solutions should be configured to alert on memory corruption techniques and unexpected network connections originating from the Word application. Scrutinize email security gateway logs for incoming Word documents with suspicious characteristics.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Ensure Microsoft Office Protected View is enabled for all documents originating from the internet or other untrusted sources.
• Use application control policies (e.g., AppLocker, WDAC) to prevent winword.exe from launching executable files or scripts.
• Reinforce user security awareness training, specifically on the dangers of opening unsolicited email attachments.
• Ensure antivirus and EDR signatures and behavioral detection rules are fully updated.

Public Exploit Available: false

Given the high severity (CVSS 7.8) and the potential for complete system compromise via a common attack vector (malicious document), this vulnerability poses a significant risk to the organization. Although it is not currently listed on the CISA KEV list, its characteristics make it a prime candidate for future inclusion and widespread exploitation. It is strongly recommended that organizations prioritize the deployment of the vendor-supplied patches to all affected systems with the utmost urgency, adhering to critical vulnerability patching timelines.