Security News > 2023 > March > Proof-of-Concept released for critical Microsoft Word RCE bug
A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution, has been published over the weekend.
Tweet-sized PoC. Security researcher Joshua Drake last year discovered the vulnerability in Microsoft Office's "Wwlib.dll" and sent Microsoft a technical advisory containing proof-of-concept code showing the issue is exploitable.
The researcher explains that the RTF parser in Microsoft Word has a heap corruption vulnerability that is triggered "When dealing with a font table containing an excessive number of fonts."
Even if a complete exploit is currently unavailable and only theoretical, installing the security update from Microsoft remains the safest way to deal with the vulnerability.
Exploit released for critical VMware vRealize RCE vulnerability.
Exploit released for critical Fortinet RCE flaw, patch now.
News URL
Related news
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)
- Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now (source)
- Critical Erlang/OTP SSH RCE bug now has public exploits, patch now (source)
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
- Critical Langflow RCE flaw exploited to hack AI app servers (source)
- SysAid Patches 4 Critical Flaws Enabling Pre-Auth RCE in On-Premise Version (source)
- Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-14 | CVE-2023-21716 | Unspecified vulnerability in Microsoft products Microsoft Word Remote Code Execution Vulnerability | 9.8 |