CVE-2022-24934

Vulnerability

CVE-2022-24934 is a remote code execution vulnerability in the wpsupdater.exe component of Kingsoft WPS Office through version 11.2.0.10382. The vulnerability allows an attacker to achieve code execution by modifying the HKEY_CURRENT_USER registry hive. The exact mechanism involves the updater reading a registry key that can be altered by a low-integrity process, enabling arbitrary binary execution under the context of the WPS updater. This was identified by Avast researchers in the context of the "Operation Dragon Castling" campaign, which targeted betting companies in Southeast Asia [1]. The official WPS Office website [2] does not provide technical details but confirms the product's widespread use.

Exploitation

Exploitation requires an attacker to have already achieved a foothold on the target system with sufficient privileges to write to HKEY_CURRENT_USER. This can be achieved through social engineering, malicious email attachments, or other initial access methods. Once the attacker can modify the relevant registry key under HKEY_CURRENT_USER, they can point wpsupdater.exe to a malicious executable. On the next update cycle (when wpsupdater.exe runs), the updater will execute the attacker-supplied payload instead of the legitimate update binary. The attacker does not need to authenticate to the WPS service itself; the attack exploits a registry-based configuration weakness in the local client [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the WPS Office updater process. This enables a wide range of post-exploitation actions, including installation of backdoors (such as the MulCom backdoor seen in the campaign), credential theft, lateral movement, and data exfiltration. The attacker gains a persistent mechanism because the compromised updater will run on system startup or at scheduled update times, providing long-term access to the infected host [1].

Mitigation

Kingsoft WPS Office users should upgrade to a version newer than 11.2.0.10382. As of the publication date (2022-03-23), Avast reported the vulnerability to Kingsoft, and a fix was expected. Users should verify they are running the latest version from the official WPS Office website [2]. As a workaround, restricting write access to the HKEY_CURRENT_USER keys used by the WPS updater (e.g., via Windows Group Policy or registry ACLs) can mitigate exploitation, though this may impact updater functionality. CVE-2022-24934 was actively exploited in the wild by the APT group behind Operation Dragon Castling [1], and it was later added to the CISA Known Exploited Vulnerabilities Catalog (KEV).