https://feed.craftedsignal.io/products/office-click-to-run/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 12 May 2026 18:50:29 +0000https://feed.craftedsignal.io/briefs/2026-05-cve-2026-40420/Tue, 12 May 2026 18:50:29 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-40420/CVE-2026-40420 is an improper access control vulnerability in Microsoft Office Click-To-Run allowing an authorized attacker to elevate privileges locally.CVE-2026-40420 is an improper access control vulnerability affecting Microsoft Office Click-To-Run. An authorized attacker who successfully exploits this vulnerability can elevate their privileges on the local system. The vulnerability stems from insufficient checks on user permissions during certain operations within the Click-To-Run component. Successful exploitation would allow the attacker to perform actions with higher privileges than intended, potentially leading to system compromise. This vulnerability impacts systems running vulnerable versions of Microsoft Office Click-To-Run. Defenders should apply the patch released by Microsoft to mitigate this risk.

Attack Chain

1. An attacker gains initial access to the system with standard user privileges.
2. The attacker identifies a vulnerable function within Microsoft Office Click-To-Run that is susceptible to improper access control.
3. The attacker crafts a malicious payload or exploits a specific API call within Click-To-Run.
4. The crafted payload bypasses the insufficient access control checks.
5. The Click-To-Run component executes the attacker’s payload with elevated privileges.
6. The attacker leverages the elevated privileges to perform unauthorized actions on the local system.
7. The attacker escalates privileges further to gain SYSTEM level access.
8. The attacker can then install software, modify data, or create new accounts with full administrative rights.

Impact

Successful exploitation of CVE-2026-40420 allows a local attacker to elevate privileges on a vulnerable system. This can lead to complete system compromise, including unauthorized data access, modification, or deletion, as well as the installation of malicious software. The vulnerability affects any system running a vulnerable version of Microsoft Office Click-To-Run.

Recommendation

• Apply the security update provided by Microsoft to address CVE-2026-40420 as soon as possible; reference the Microsoft advisory for CVE-2026-40420.
• Monitor process creations for unusual child processes spawned by Office Click-To-Run processes to identify potential privilege escalation attempts using the “Office Click-To-Run Suspicious Child Process” Sigma rule.
• Enable process creation auditing to ensure that the relevant logs are available for detection and investigation.

]]>highadvisoryprivilege-escalationofficewindowshttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-40418-office-uaf/Tue, 12 May 2026 18:49:57 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-40418-office-uaf/CVE-2026-40418 is a use-after-free vulnerability in Microsoft Office Click-To-Run that allows an authorized attacker to elevate privileges locally.CVE-2026-40418 is a use-after-free vulnerability affecting Microsoft Office Click-To-Run. This vulnerability allows an attacker with local access and authorization to elevate their privileges on the system. The vulnerability arises from improper memory management within the Click-To-Run component. An authorized attacker could potentially exploit this flaw to execute arbitrary code with elevated privileges, leading to unauthorized access and control over the affected system. Successful exploitation requires the attacker to already have some level of access to the target machine.

Attack Chain

1. Attacker gains initial authorized access to the target system.
2. Attacker identifies a process using the vulnerable Microsoft Office Click-To-Run component.
3. Attacker triggers the use-after-free condition within the Office Click-To-Run application by sending a specially crafted input.
4. The application attempts to access a previously freed memory location, causing a crash or unexpected behavior.
5. Attacker leverages the use-after-free vulnerability to corrupt memory and redirect execution flow.
6. Attacker injects malicious code into memory.
7. The injected code is executed with the privileges of the Office Click-To-Run application.
8. Attacker elevates privileges and gains unauthorized control over the system.

Impact

Successful exploitation of CVE-2026-40418 allows an authorized local attacker to elevate their privileges on the targeted system. This could lead to complete system compromise, including unauthorized access to sensitive data, installation of malware, and modification of system configurations. Given the widespread use of Microsoft Office, this vulnerability could potentially affect numerous organizations and individuals.

Recommendation

• Apply the security update provided by Microsoft to patch CVE-2026-40418 on all systems running Microsoft Office Click-To-Run as soon as possible (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40418).
• Implement the Sigma rule “Detect CVE-2026-40418 Exploitation Attempt — Suspicious Office Process Memory Access” to detect potential exploitation attempts.
• Monitor for suspicious process behavior and memory access patterns in Microsoft Office Click-To-Run processes.
• Restrict local access to systems running Microsoft Office Click-To-Run to minimize the attack surface.

]]>highadvisorycveprivilege-escalationwindowsuse-after-freehttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-35436-office-privesc/Tue, 12 May 2026 18:33:02 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-35436-office-privesc/CVE-2026-35436 is a privilege escalation vulnerability in Microsoft Office Click-To-Run due to insufficient granularity of access control, allowing an authorized attacker to elevate privileges locally.CVE-2026-35436 is a privilege escalation vulnerability affecting Microsoft Office Click-To-Run. The vulnerability stems from insufficient granularity of access control, which allows an authorized attacker to elevate their privileges on a local system. This could allow an attacker to perform actions with elevated permissions, potentially leading to unauthorized access to sensitive data, modification of system configurations, or execution of arbitrary code. Microsoft has released a security update to address this vulnerability. This vulnerability has a CVSS v3.1 score of 8.8, indicating a high severity.

Attack Chain

1. An attacker gains initial access to a system with an authorized, but limited, user account.
2. The attacker identifies that the Microsoft Office Click-To-Run component has insufficient access control granularity.
3. The attacker leverages this vulnerability to bypass intended access restrictions.
4. The attacker manipulates the Click-To-Run component to perform actions normally restricted to higher-privileged users.
5. This could involve modifying configuration files or accessing protected system resources.
6. The attacker successfully elevates their privileges on the local system.
7. With elevated privileges, the attacker can now access sensitive data, install malicious software, or modify system settings.

Impact

Successful exploitation of CVE-2026-35436 allows an attacker to elevate their privileges on a local system running Microsoft Office Click-To-Run. This could result in unauthorized access to sensitive data, modification of critical system configurations, or the installation and execution of malware. Given the wide deployment of Microsoft Office, this vulnerability could have a significant impact on organizations and individuals who do not apply the necessary security updates.

Recommendation

• Apply the security update released by Microsoft to address CVE-2026-35436 immediately.
• Monitor systems for suspicious process executions or configuration changes related to Microsoft Office Click-To-Run, using a process monitoring tool.
• Implement the Sigma rules provided below to detect potential exploitation attempts.

]]>highadvisoryprivilege-escalationcve