CVE-2017-0199

ENISA EUVD: EUVD-2017-0566 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 8 articles Published: 2017-04-12

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

94.3%

probability

This CVE has a 94.3% probability of being exploited in the next 30 days.

0% Top 99.9th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

7.8

HIGH

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2 (legacy)

9.3

HIGH

Access Vector

Network

Access Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

AV:N/AC:M/Au:N/C:C/I:C/A:C

Description

VulnerabilityLookup (CNA)

Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."

Affected Products

Microsoft Corporation

Office/WordPad

Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8.1

microsoft

office

microsoft

windows 7

microsoft

windows server 2008

microsoft

windows server 2012

microsoft

windows vista

Microsoft Corporation

Office/WordPad

Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8.1

Google Project Zero

Patched

April 11, 2017

Reported by

Ryan Hanson (@Ryhanson) of Optiv, Microsoft MSRC Vulnerabilities and Mitigations Team, Microsoft Office Security Team, Genwei Jiang, FLARE Team, FireEye Inc, Eduardo Braun Prado of SecuriTeam Secure Disclosure (SSD)

Root Cause Analysis

???

Exploits & PoC

bhdresh/CVE-2017-0199

Exploit toolkit CVE-2017-0199 - v4.0 is a handy python script which provides pentesters and security researchers a quick and effective way to test Mic

725 2017-11-19

haibara3839/CVE-2017-0199-master

CVE-2017-0199

16 2017-04-19

NotAwful/CVE-2017-0199-Fix

Quick and dirty fix to OLE2 executing code via .hta

13 2017-04-24

SyFi/cve-2017-0199

12 2017-04-13

Exploit-install/CVE-2017-0199

Exploit toolkit CVE-2017-0199 - v2.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate

7 2017-04-22

jacobsoo/RTF-Cleaner

RTF Cleaner, tries to extract URL from malicious RTF samples using CVE-2017-0199 & CVE-2017-8759

3 2017-12-08

mzakyz666/PoC-CVE-2017-0199

Exploit toolkit for vulnerability RCE Microsoft RTF

2 2017-04-22

n1shant-sinha/CVE-2017-0199

Exploit toolkit CVE-2017-0199 - v2.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate

2 2017-04-23

kn0wm4d/htattack

An exploit implementation for RCE in RTF & DOCs (CVE-2017-0199)

2 2017-04-24

nicpenning/RTF-Cleaner

RTF de-obfuscator for CVE-2017-0199 documents to find URLs statically.

2 2017-11-03

herbiezimmerman/2017-11-17-Maldoc-Using-CVE-2017-0199

2 2017-11-17

Sunqiz/CVE-2017-0199-reprofuction

CVE-2017-0199复现

2 2022-08-19

Phantomlancer123/CVE-2017-0199

1 2022-04-20

ahmed-tarek22752/RCE-CVE-2017-0199-detection-analysis

This repository contains a full blue-team malware analysis of a real malicious DOCX exploiting CVE-2017-0199. The lab includes sandbox execution, net

1 2025-11-23

ryhanson/CVE-2017-0199

0 2017-04-13

joke998/Cve-2017-0199

0 2017-04-25

joke998/Cve-2017-0199-

Cve-2017-0199

0 2017-04-25

sUbc0ol/Microsoft-Word-CVE-2017-0199-

0 2017-06-30

viethdgit/CVE-2017-0199

0 2017-09-19

likekabin/CVE-2017-0199

0 2018-03-22

stealth-ronin/CVE-2017-0199-PY-KIT

0 2020-10-18

BRAINIAC22/CVE-2017-0199

A python script/generator, for generating and exploiting Microsoft vulnerability

0 2022-04-22

TheCyberWatchers/CVE-2017-0199-v5.0

0 2023-09-02

kash-123/CVE-2017-0199

Python3 toolkit update

0 2025-12-10

BlackOclock/XLS-to-DBatLoader-or-GuLoader-for-AgentTesla-variant

CVE-2017-0199 XLS --> HTA --> VBS --> STEGANOGRAPHY --> DBATLOADER/GULOADER STYLE MALWARE

0 2026-03-13

25 repos — triés par ⭐ Rechercher sur GitHub ↗

http://www.securityfocus.com/bid/97498

vdb-entry x_refsource_BID

https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/

x_refsource_MISC

http://rewtin.blogspot.nl/2017/04/cve-2017-0199-practical-exploitation-poc.html

x_refsource_MISC

https://www.exploit-db.com/exploits/41894/

exploit x_refsource_EXPLOIT-DB

https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html

x_refsource_MISC

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

x_refsource_CONFIRM

Signal Intelligence

Confidenceⓘ

92%

EPSS 94.3%

CVSS v3.1 7.8

Mentions 8

Last Seen Sep 04, 2023

CNA Information

CNA Assigner

microsoft

Analyst Note

CVE-2017-0199 is a well-documented remote code execution vulnerability in Microsoft Office affecting multiple versions across Windows platforms, with CVSS 7.8 (HIGH) severity. The vulnerability was reported by Google Project Zero and actively exploited in the wild according to CERT-EU security advisories, providing strong evidence for confirmation.