CVE-2022-25969

Vulnerability

The installer of WPS Office versions 10.8.0.5745 and 10.8.0.6186 (and possibly earlier) insecurely loads dynamic-link libraries (DLLs) such as VERSION.DLL or shcore.dll from the same folder as the installer executable (wps.1.9.exe or wps.4.136.exe). This is a CWE-427 uncontrolled search path vulnerability that allows an attacker to place a malicious DLL in the installer's directory, which will be loaded during installation [1][2].

Exploitation

An attacker must trick a user into placing a specially crafted DLL file (e.g., shcore.dll) in the same folder as the WPS Office installer. The user then runs the installer, which loads the malicious DLL instead of the legitimate system DLL, executing arbitrary code with the privileges of the user [1][2]. No authentication or special network access is required beyond the ability to place the file (e.g., via social engineering or a previously compromised system).

Impact

Successful exploitation allows arbitrary code execution with the privilege of the user invoking the installer. This can lead to full compromise of the user's data and system, including installation of malware, data theft, or further privilege escalation [1].

Mitigation

The vendor (KINGSOFT) has stated that the vulnerability is resolved in the latest versions of WPS Office [2]. Users should upgrade to a version newer than 10.8.0.6186. For users unable to upgrade, the JVN recommends discontinuing use of the affected product and switching to an alternative [1]. No workaround is provided.