{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2024-7262/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2024-7262"},{"cvss":7.8,"id":"CVE-2024-7263"}],"_cs_exploited":false,"_cs_products":["WPS Office"],"_cs_severities":["high"],"_cs_tags":["dll-hijacking","wps-office","cve-2024-7262","cve-2024-7263","execution","initial-access"],"_cs_type":"advisory","_cs_vendors":["Kingsoft"],"content_html":"\u003cp\u003eThis detection identifies potential exploitation of CVE-2024-7262 or CVE-2024-7263 in WPS Office through DLL hijacking. The attack abuses the ksoqing custom protocol handler and involves loading a remote library by the \u003ccode\u003epromecefpluginhost.exe\u003c/code\u003e executable. The rule specifically looks for DLLs loaded from suspicious locations, such as temporary directories (\u003ccode\u003eAppData\\\\Local\\\\Temp\\\\wps\\\\INetCache\u003c/code\u003e), device paths (\u003ccode\u003e\\\\Device\\\\Mup\\\\\u003c/code\u003e), or UNC paths (\u003ccode\u003e\\\\\\\\*\u003c/code\u003e). Successful exploitation could lead to arbitrary code execution. This activity has been observed as of August 2024, and defenders should be aware that exploitation may occur through specially crafted WPS files or links.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user opens a malicious WPS Office document or clicks a specially crafted link.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewps.exe\u003c/code\u003e or \u003ccode\u003eet.exe\u003c/code\u003e process is launched to handle the document/link, potentially utilizing the \u0026ldquo;ksoqing\u0026rdquo; protocol.\u003c/li\u003e\n\u003cli\u003eThe WPS Office application attempts to load a plugin via \u003ccode\u003epromecefpluginhost.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to a DLL hijacking vulnerability (CVE-2024-7262 or CVE-2024-7263), \u003ccode\u003epromecefpluginhost.exe\u003c/code\u003e attempts to load a malicious DLL from a non-standard location such as \u003ccode\u003eAppData\\\\Local\\\\Temp\\\\wps\\\\INetCache\u003c/code\u003e, \u003ccode\u003e\\\\Device\\\\Mup\\\\\u003c/code\u003e, or a UNC path.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL is loaded into the \u003ccode\u003epromecefpluginhost.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes arbitrary code within the context of the \u003ccode\u003epromecefpluginhost.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the compromised process and can perform actions such as downloading further malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows for arbitrary code execution within the context of the WPS Office application. This can lead to a complete compromise of the user\u0026rsquo;s system, including data theft, installation of malware, and lateral movement within the network. There is no specific information on the number of victims or sectors targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;WPS Office Exploitation via DLL Hijack - Library Load\u0026rdquo; to your SIEM to detect suspicious DLL loads by \u003ccode\u003epromecefpluginhost.exe\u003c/code\u003e (see rule below).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;WPS Office Exploitation via DLL Hijack - Image Load\u0026rdquo; to your SIEM to detect suspicious image loads by \u003ccode\u003epromecefpluginhost.exe\u003c/code\u003e (see rule below).\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from \u003ccode\u003epromecefpluginhost.exe\u003c/code\u003e for suspicious outbound traffic.\u003c/li\u003e\n\u003cli\u003eUpgrade WPS Office to a vendor-supported release that remediates both CVE-2024-7262 and CVE-2024-7263.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 7 (Image Loaded) to enhance visibility into DLL loading events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T11:40:07Z","date_published":"2026-05-06T11:40:07Z","id":"/briefs/2024-11-wps-office-dll-hijack/","summary":"The rule detects the loading of a remote library by the WPS Office promecefpluginhost.exe executable, which may indicate exploitation of CVE-2024-7262 or CVE-2024-7263 via DLL hijacking abusing the ksoqing custom protocol handler.","title":"WPS Office Exploitation via DLL Hijack","url":"https://feed.craftedsignal.io/briefs/2024-11-wps-office-dll-hijack/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2024-7262","version":"https://jsonfeed.org/version/1.1"}