Try in Splunk Security Cloud


A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2023-03-10
  • Author: Michael Haag, Splunk
  • ID: b1aeaf2c-8496-42e7-b2f7-15c328bc75d9


This analytic story covers content that will assist organizations in identifying potential RTF RCE abuse on endpoints. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. Security researcher Joshua Drake last year discovered the vulnerability in Microsoft Office’’s “wwlib.dll” and sent Microsoft a technical advisory containing proof-of-concept (PoC) code showing the issue is exploitable. A remote attacker could potentially take advantage of the issue to execute code with the same privileges as the victim that opens a malicious .RTF document. Delivering the malicious file to a victim can be as easy as an attachment to an email, although plenty of other methods exist. Microsoft warns that users don’‘t have to open a malicious RTF document and simply loading the file in the Preview Pane is enough for the compromise to start. (BleepingComputer, 2023)


Name Technique Type
Office Application Drop Executable Phishing, Spearphishing Attachment TTP
Office Product Spawn CMD Process Phishing, Spearphishing Attachment TTP
Winword Spawning Cmd Phishing, Spearphishing Attachment TTP
Winword Spawning PowerShell Phishing, Spearphishing Attachment TTP
Winword Spawning Windows Script Host Phishing, Spearphishing Attachment TTP


source | version: 1