CVE-2014-2271
Description
cn.wps.moffice.common.beans.print.CloudPrintWebView in Kingsoft Office 5.3.1, as used in Huawei P2 devices before V100R001C00B043, falls back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and execute arbitrary Java code by leveraging a network position between the client and the registry to block HTTPS traffic.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Kingsoft Office 5.3.1 on Huawei P2 devices falls back to HTTP when HTTPS fails, enabling MITM downgrade attacks and arbitrary Java code execution.
Vulnerability
The vulnerability resides in the cn.wps.moffice.common.beans.print.CloudPrintWebView component of Kingsoft Office 5.3.1, as used in Huawei P2 devices before firmware version V100R001C00B043. When the HTTPS connection to the registry fails, the component falls back to an unencrypted HTTP connection. This insecure fallback behavior allows an attacker to intercept and manipulate the communication [1][2].
Exploitation
An attacker must be in a network position between the client device and the registry to block HTTPS traffic. By performing a man-in-the-middle (MITM) attack, the attacker can force the connection to downgrade from HTTPS to HTTP. Once the traffic is downgraded, the attacker can inject malicious Java code into the response, which is then executed by the application [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary Java code within the context of the Kingsoft Office application. This can lead to full compromise of the affected device, including unauthorized access to data, installation of malware, or further lateral movement within the network. The attack requires no prior authentication and can be conducted remotely if the attacker controls network traffic [1][2].
Mitigation
Huawei released firmware version V100R001C00B043 for the P2 device to address this vulnerability. Users should update their devices to this version or later. For Kingsoft Office standalone installations, no specific patch is mentioned in the available references; users are advised to upgrade to a version that does not exhibit the insecure fallback behavior or to enforce strict HTTPS-only communication via network controls [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Kingsoft/Officedescription
- Range: =5.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-401529.htmmitrex_refsource_MISC
- www.securityfocus.com/bid/71381mitrex_refsource_MISC
- exchange.xforce.ibmcloud.com/vulnerabilities/99089mitrex_refsource_MISC
- labs.f-secure.com/advisories/kingsoft-office-remote-code-execution/mitrex_refsource_MISC
- labs.f-secure.com/assets/763/original/mwri_advisory_huawei_kingsoft-office.pdfmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.