CVE-2018-6400

Vulnerability

Kingsoft WPS Office Free 10.2.0.5978 (and other affected versions including WPS Office2 2020/2025 editions, WPS Cloud, WPS Cloud Pro, and KINGSOFT PDF Pro up to version 11.2.0.10715/10716) creates a named pipe at \\.\pipe\WPSCloudSvr\WpsCloudSvr with a NULL DACL, granting full access to the Everyone group. This improper access restriction (CWE-749) allows any local user to interact with the pipe without proper security checks [1][3].

Exploitation

An attacker with local, non-administrative access can connect to the named pipe and impersonate the pipe server or client. By sending crafted requests, the attacker can execute arbitrary commands in the context of the SYSTEM-privileged service that owns the pipe. No user interaction or additional authentication is required beyond the ability to run a local process [1][3].

Impact

Successful exploitation allows the attacker to execute arbitrary programs with SYSTEM privilege, leading to full compromise of the affected Windows system. This includes the ability to read, modify, or delete any data, install persistent malware, or cause a denial of service [1][3].

Mitigation

Users should update to the latest version provided by the vendor. For personal products, update to WPS Office2 (2025 edition) version 11.2.0.10721 or later; for other affected products, follow the vendor's update instructions available at [2]. No workaround other than updating is documented. Older versions (e.g., 10.2.0.5978) remain vulnerable and should be upgraded immediately [1][3].