CVE-2026-41102: Microsoft PowerPoint Improper Access Control Vulnerability Leading to Local Spoofing

hello@craftedsignal.io — Tue, 12 May 2026 18:52:14 +0000

CVE-2026-41102 describes an improper access control vulnerability affecting Microsoft Office PowerPoint. An authorized, local attacker can exploit this vulnerability to perform spoofing actions. The vulnerability exists due to insufficient checks on access rights within the application. Successful exploitation could allow the attacker to potentially mislead users or gain unauthorized privileges within the PowerPoint environment. Microsoft has released a patch to address this vulnerability, and users are urged to update their software to the latest version. This issue was publicly disclosed and assigned a CVSS v3.1 score of 7.1, indicating a high severity.

Attack Chain

An attacker gains local access to a system with a vulnerable version of Microsoft PowerPoint installed.
The attacker crafts a malicious PowerPoint file or modifies an existing one.
The crafted file leverages the improper access control vulnerability (CVE-2026-41102) to manipulate application behavior.
A legitimate user opens the malicious PowerPoint file.
Due to the access control flaw, the attacker’s crafted content spoofs legitimate elements of the PowerPoint interface or functionality.
The spoofed elements mislead the user into performing unintended actions, such as providing credentials or executing malicious code.
The attacker achieves their objective of spoofing application behavior for malicious purposes.
The impact is limited to the local machine and user context.

Impact

Successful exploitation of CVE-2026-41102 allows a local attacker to spoof elements within Microsoft PowerPoint. This spoofing could mislead users into divulging sensitive information or performing actions that compromise their local system. While the vulnerability does not lead to remote code execution or denial of service, the potential for social engineering attacks makes it a significant concern. The CVSS v3.1 base score of 7.1 reflects the high confidentiality and integrity impact on the local system.

Recommendation

Apply the security update released by Microsoft to patch CVE-2026-41102 in Microsoft Office PowerPoint.
Educate users about the risks of opening untrusted PowerPoint files from unknown sources.
Monitor endpoint logs for suspicious PowerPoint activity using the Sigma rule provided to detect potential exploitation attempts.

Persistence via Microsoft Office Add-Ins File Creation

hello@craftedsignal.io — Tue, 12 May 2026 18:39:25 +0000

The rule identifies potential persistence mechanisms employed by attackers leveraging Microsoft Office add-ins. It focuses on the creation of specific file types, including .wll, .xll, .ppa, .ppam, .xla, and .xlam, in directories such as C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*, C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*, and C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*. The detection logic also incorporates Crowdstrike specific conditions using NT Object paths. This technique allows malicious actors to execute code each time the corresponding Microsoft Office application starts, achieving persistence on the system. This activity matters because attackers can gain a foothold within an organization and maintain unauthorized access even after system reboots.

Attack Chain

The attacker gains initial access to the system, potentially through phishing or exploitation of a vulnerability.
The attacker identifies a user’s profile on the targeted Windows system.
The attacker writes a malicious Office add-in file (e.g., a .wll, .xll, .ppa, .ppam, .xla, or .xlam file) to one of the Office startup directories, such as C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*.
The attacker may use a dropper or installer to place the malicious file in the startup directory.
The system restarts or the user launches the corresponding Microsoft Office application (Word, Excel, PowerPoint).
The Office application loads the malicious add-in file from the startup directory.
The malicious add-in executes its payload, providing the attacker with persistent access to the system.
The attacker can now perform various malicious activities, such as data exfiltration, lateral movement, or further exploitation.

Impact

Successful exploitation can lead to persistent unauthorized access to the compromised system. This allows the attacker to maintain a foothold within the network, potentially leading to data theft, disruption of services, or further propagation of malware. The compromised system could be leveraged as a staging point for lateral movement or for launching attacks against other internal resources.

Recommendation

Enable Sysmon Event ID 11 (File Create) logging to capture file creation events, especially in Office startup directories, to activate the detection logic.
Deploy the Sigma rule “Persistence via Microsoft Office AddIns File Creation” to your SIEM and tune for your environment to detect malicious add-in creation.
Monitor process creation events for Microsoft Office applications (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE) loading add-ins from untrusted locations.
Restrict write access to Office startup directories and add-in loader locations to prevent unauthorized file creation.
Investigate alerts related to file creations described by file.path and file.extension in the rule query.

Ms-Office — CraftedSignal Threat Feed

CVE-2026-41102: Microsoft PowerPoint Improper Access Control Vulnerability Leading to Local Spoofing

Attack Chain

Impact

Recommendation

Persistence via Microsoft Office Add-Ins File Creation

Attack Chain

Impact

Recommendation