{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/office-click-to-run/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-40420"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office Click-To-Run"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","office","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-40420 is an improper access control vulnerability affecting Microsoft Office Click-To-Run. An authorized attacker who successfully exploits this vulnerability can elevate their privileges on the local system. The vulnerability stems from insufficient checks on user permissions during certain operations within the Click-To-Run component. Successful exploitation would allow the attacker to perform actions with higher privileges than intended, potentially leading to system compromise. This vulnerability impacts systems running vulnerable versions of Microsoft Office Click-To-Run. Defenders should apply the patch released by Microsoft to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system with standard user privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a vulnerable function within Microsoft Office Click-To-Run that is susceptible to improper access control.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload or exploits a specific API call within Click-To-Run.\u003c/li\u003e\n\u003cli\u003eThe crafted payload bypasses the insufficient access control checks.\u003c/li\u003e\n\u003cli\u003eThe Click-To-Run component executes the attacker\u0026rsquo;s payload with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to perform unauthorized actions on the local system.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges further to gain SYSTEM level access.\u003c/li\u003e\n\u003cli\u003eThe attacker can then install software, modify data, or create new accounts with full administrative rights.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40420 allows a local attacker to elevate privileges on a vulnerable system. This can lead to complete system compromise, including unauthorized data access, modification, or deletion, as well as the installation of malicious software. The vulnerability affects any system running a vulnerable version of Microsoft Office Click-To-Run.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to address CVE-2026-40420 as soon as possible; reference the Microsoft advisory for CVE-2026-40420.\u003c/li\u003e\n\u003cli\u003eMonitor process creations for unusual child processes spawned by Office Click-To-Run processes to identify potential privilege escalation attempts using the \u0026ldquo;Office Click-To-Run Suspicious Child Process\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable process creation auditing to ensure that the relevant logs are available for detection and investigation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:50:29Z","date_published":"2026-05-12T18:50:29Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40420/","summary":"CVE-2026-40420 is an improper access control vulnerability in Microsoft Office Click-To-Run allowing an authorized attacker to elevate privileges locally.","title":"CVE-2026-40420 - Microsoft Office Click-To-Run Improper Access Control Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40420/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-40418"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office Click-To-Run"],"_cs_severities":["high"],"_cs_tags":["cve","privilege-escalation","windows","use-after-free"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-40418 is a use-after-free vulnerability affecting Microsoft Office Click-To-Run. This vulnerability allows an attacker with local access and authorization to elevate their privileges on the system. The vulnerability arises from improper memory management within the Click-To-Run component. An authorized attacker could potentially exploit this flaw to execute arbitrary code with elevated privileges, leading to unauthorized access and control over the affected system. Successful exploitation requires the attacker to already have some level of access to the target machine.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial authorized access to the target system.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a process using the vulnerable Microsoft Office Click-To-Run component.\u003c/li\u003e\n\u003cli\u003eAttacker triggers the use-after-free condition within the Office Click-To-Run application by sending a specially crafted input.\u003c/li\u003e\n\u003cli\u003eThe application attempts to access a previously freed memory location, causing a crash or unexpected behavior.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the use-after-free vulnerability to corrupt memory and redirect execution flow.\u003c/li\u003e\n\u003cli\u003eAttacker injects malicious code into memory.\u003c/li\u003e\n\u003cli\u003eThe injected code is executed with the privileges of the Office Click-To-Run application.\u003c/li\u003e\n\u003cli\u003eAttacker elevates privileges and gains unauthorized control over the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40418 allows an authorized local attacker to elevate their privileges on the targeted system. This could lead to complete system compromise, including unauthorized access to sensitive data, installation of malware, and modification of system configurations. Given the widespread use of Microsoft Office, this vulnerability could potentially affect numerous organizations and individuals.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-40418 on all systems running Microsoft Office Click-To-Run as soon as possible (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40418)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40418)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect CVE-2026-40418 Exploitation Attempt — Suspicious Office Process Memory Access\u0026rdquo; to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious process behavior and memory access patterns in Microsoft Office Click-To-Run processes.\u003c/li\u003e\n\u003cli\u003eRestrict local access to systems running Microsoft Office Click-To-Run to minimize the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:49:57Z","date_published":"2026-05-12T18:49:57Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40418-office-uaf/","summary":"CVE-2026-40418 is a use-after-free vulnerability in Microsoft Office Click-To-Run that allows an authorized attacker to elevate privileges locally.","title":"CVE-2026-40418: Microsoft Office Click-To-Run Use-After-Free Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40418-office-uaf/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-35436"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office Click-To-Run"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","cve"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-35436 is a privilege escalation vulnerability affecting Microsoft Office Click-To-Run. The vulnerability stems from insufficient granularity of access control, which allows an authorized attacker to elevate their privileges on a local system. This could allow an attacker to perform actions with elevated permissions, potentially leading to unauthorized access to sensitive data, modification of system configurations, or execution of arbitrary code. Microsoft has released a security update to address this vulnerability. This vulnerability has a CVSS v3.1 score of 8.8, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system with an authorized, but limited, user account.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies that the Microsoft Office Click-To-Run component has insufficient access control granularity.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this vulnerability to bypass intended access restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the Click-To-Run component to perform actions normally restricted to higher-privileged users.\u003c/li\u003e\n\u003cli\u003eThis could involve modifying configuration files or accessing protected system resources.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully elevates their privileges on the local system.\u003c/li\u003e\n\u003cli\u003eWith elevated privileges, the attacker can now access sensitive data, install malicious software, or modify system settings.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35436 allows an attacker to elevate their privileges on a local system running Microsoft Office Click-To-Run. This could result in unauthorized access to sensitive data, modification of critical system configurations, or the installation and execution of malware. Given the wide deployment of Microsoft Office, this vulnerability could have a significant impact on organizations and individuals who do not apply the necessary security updates.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to address CVE-2026-35436 immediately.\u003c/li\u003e\n\u003cli\u003eMonitor systems for suspicious process executions or configuration changes related to Microsoft Office Click-To-Run, using a process monitoring tool.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rules provided below to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T18:33:02Z","date_published":"2026-05-12T18:33:02Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-35436-office-privesc/","summary":"CVE-2026-35436 is a privilege escalation vulnerability in Microsoft Office Click-To-Run due to insufficient granularity of access control, allowing an authorized attacker to elevate privileges locally.","title":"CVE-2026-35436: Microsoft Office Click-To-Run Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-35436-office-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Office Click-to-Run","version":"https://jsonfeed.org/version/1.1"}