Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."
CVE-2017-0199
Score elevated to 9.0 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 7.8 retained for reference. Confidence: HIGH.
- Actively exploited in the wild (CISA-KEV)
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 7.8
- EG Score
- 9.0(medium)
- EPSS
- 100.0%
- KEV
- ⚠ Exploited
Published
April 12, 2017
Last Modified
April 22, 2026
Advisory Details (8)
Auto-updated May 19, 2026Microsoft Excel - OLE Arbitrary Code Execution - Windows dos Exploit
https://www.exploit-db.com/exploits/42995/Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit) - Windows remote Exploit
https://www.exploit-db.com/exploits/41934/Microsoft Word - '.RTF' Remote Code Execution - Windows remote Exploit
https://www.exploit-db.com/exploits/41894/Security Update Guide - Microsoft Security Response Center
Security Update Guide - Microsoft Security Response Center. Patch available via Microsoft Security Update
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199Analysis of a CVE-2017-0199 Malicious RTF Document – NVISO Labs
https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/CVE-2017-0199 Practical exploitation ! (PoC)
http://rewtin.blogspot.nl/2017/04/cve-2017-0199-practical-exploitation-poc.htmlAll Vendor Advisories
(1)
Every vendor that published an advisory referencing this CVE — pulled from our cve_vendor_advisories aggregation. Click any row for the vendor's original advisory page.
Data Freshness Timeline
(refreshed 136× in last 7d / 570× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 747 total refreshes for this CVE.
- 2026-07-07 11:23 UTCEG score recompute
- 2026-07-07 11:23 UTCVendor advisory
- 2026-07-07 11:23 UTCGHSA enrichment
- 2026-07-07 07:39 UTCEG score recompute
- 2026-07-07 07:39 UTCVendor advisory
- 2026-07-07 07:39 UTCGHSA enrichment
- 2026-07-07 03:55 UTCEG score recompute
- 2026-07-07 03:55 UTCVendor advisory
- 2026-07-07 03:55 UTCGHSA enrichment
- 2026-07-07 00:12 UTCEG score recompute
- 2026-07-07 00:12 UTCVendor advisory
- 2026-07-07 00:12 UTCGHSA enrichment
- 2026-07-06 20:28 UTCEG score recompute
- 2026-07-06 20:28 UTCVendor advisory
- 2026-07-06 20:28 UTCGHSA enrichment
- 2026-07-06 16:44 UTCEG score recompute
- 2026-07-06 16:44 UTCVendor advisory
- 2026-07-06 16:44 UTCGHSA enrichment
- 2026-07-06 13:01 UTCEG score recompute
- 2026-07-06 13:01 UTCVendor advisory
- 2026-07-06 13:01 UTCGHSA enrichment
- 2026-07-06 09:16 UTCEG score recompute
- 2026-07-06 09:16 UTCVendor advisory
- 2026-07-06 09:16 UTCGHSA enrichment
- 2026-07-06 05:30 UTCEG score recompute
Show 75 moreShow fewer
- 2026-07-06 05:30 UTCVendor advisory
- 2026-07-06 05:30 UTCGHSA enrichment
- 2026-07-06 01:47 UTCEG score recompute
- 2026-07-06 01:47 UTCVendor advisory
- 2026-07-06 01:47 UTCGHSA enrichment
- 2026-07-05 22:04 UTCEG score recompute
- 2026-07-05 22:04 UTCVendor advisory
- 2026-07-05 22:04 UTCGHSA enrichment
- 2026-07-05 18:21 UTCEG score recompute
- 2026-07-05 18:21 UTCVendor advisory
- 2026-07-05 18:21 UTCGHSA enrichment
- 2026-07-05 14:37 UTCEG score recompute
- 2026-07-05 14:37 UTCVendor advisory
- 2026-07-05 14:37 UTCGHSA enrichment
- 2026-07-05 10:53 UTCEG score recompute
- 2026-07-05 10:53 UTCVendor advisory
- 2026-07-05 10:53 UTCGHSA enrichment
- 2026-07-05 07:08 UTCEG score recompute
- 2026-07-05 07:08 UTCVendor advisory
- 2026-07-05 07:08 UTCGHSA enrichment
- 2026-07-05 03:23 UTCEG score recompute
- 2026-07-05 03:23 UTCVendor advisory
- 2026-07-05 03:23 UTCGHSA enrichment
- 2026-07-04 23:38 UTCEG score recompute
- 2026-07-04 23:38 UTCVendor advisory
- 2026-07-04 23:38 UTCGHSA enrichment
- 2026-07-04 19:55 UTCEG score recompute
- 2026-07-04 19:55 UTCVendor advisory
- 2026-07-04 19:55 UTCGHSA enrichment
- 2026-07-04 16:12 UTCEG score recompute
- 2026-07-04 16:12 UTCVendor advisory
- 2026-07-04 16:12 UTCGHSA enrichment
- 2026-07-04 12:29 UTCEG score recompute
- 2026-07-04 12:29 UTCVendor advisory
- 2026-07-04 12:29 UTCGHSA enrichment
- 2026-07-04 08:46 UTCEG score recompute
- 2026-07-04 08:46 UTCVendor advisory
- 2026-07-04 08:46 UTCGHSA enrichment
- 2026-07-04 05:04 UTCEG score recompute
- 2026-07-04 05:04 UTCVendor advisory
- 2026-07-04 05:03 UTCGHSA enrichment
- 2026-07-04 01:20 UTCEG score recompute
- 2026-07-04 01:20 UTCVendor advisory
- 2026-07-04 01:20 UTCGHSA enrichment
- 2026-07-03 21:37 UTCEG score recompute
- 2026-07-03 21:37 UTCVendor advisory
- 2026-07-03 21:37 UTCGHSA enrichment
- 2026-07-03 17:54 UTCEG score recompute
- 2026-07-03 17:54 UTCVendor advisory
- 2026-07-03 17:54 UTCGHSA enrichment
- 2026-07-03 14:09 UTCEG score recompute
- 2026-07-03 14:09 UTCVendor advisory
- 2026-07-03 14:09 UTCGHSA enrichment
- 2026-07-03 10:26 UTCEG score recompute
- 2026-07-03 10:26 UTCVendor advisory
- 2026-07-03 10:26 UTCGHSA enrichment
- 2026-07-03 06:42 UTCEG score recompute
- 2026-07-03 06:42 UTCVendor advisory
- 2026-07-03 06:42 UTCGHSA enrichment
- 2026-07-03 02:58 UTCEG score recompute
- 2026-07-03 02:58 UTCVendor advisory
- 2026-07-03 02:58 UTCGHSA enrichment
- 2026-07-02 23:14 UTCEG score recompute
- 2026-07-02 23:14 UTCVendor advisory
- 2026-07-02 23:14 UTCGHSA enrichment
- 2026-07-02 19:30 UTCEG score recompute
- 2026-07-02 19:30 UTCVendor advisory
- 2026-07-02 19:30 UTCGHSA enrichment
- 2026-07-02 15:48 UTCEG score recompute
- 2026-07-02 15:48 UTCVendor advisory
- 2026-07-02 15:48 UTCGHSA enrichment
- 2026-07-02 12:04 UTCEG score recompute
- 2026-07-02 12:04 UTCVendor advisory
- 2026-07-02 12:04 UTCGHSA enrichment
- 2026-07-02 08:20 UTCEG score recompute
Publicly available exploits
(10 references)Working exploit code is in the public domain (7 GitHub PoCs) (3 Exploit-DB entries). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCjacobsoo/RTF-CleanerFirst seen Dec 8, 2017
RTF Cleaner, tries to extract URL from malicious RTF samples using CVE-2017-0199 & CVE-2017-8759
Open source ↗ - GitHub PoCnicpenning/RTF-CleanerFirst seen Nov 3, 2017
RTF de-obfuscator for CVE-2017-0199 documents to find URLs statically.
Open source ↗ - Exploit-DBEDB-42995First seen Sep 30, 2017
Microsoft Excel - OLE Arbitrary Code Execution
Open source ↗ - Exploit-DBEDB-41934✓ verifiedFirst seen Apr 25, 2017
Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)
Open source ↗ - GitHub PoCkn0wm4d/htattackFirst seen Apr 24, 2017
An exploit implementation for RCE in RTF & DOCs (CVE-2017-0199)
Open source ↗ - GitHub PoCn1shant-sinha/CVE-2017-0199First seen Apr 23, 2017
Exploit toolkit CVE-2017-0199 - v2.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious RTF file and deliver metasploit / meterpreter payload to victim without any complex configuration.
Open source ↗ - GitHub PoCExploit-install/CVE-2017-0199First seen Apr 22, 2017
Exploit toolkit CVE-2017-0199 - v2.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious RTF file and deliver metasploit / meterpreter / any other payload to victim without any complex configuration.
Open source ↗ - GitHub PoCmzakyz666/PoC-CVE-2017-0199First seen Apr 22, 2017
Exploit toolkit for vulnerability RCE Microsoft RTF
Open source ↗ - GitHub PoChaibara3839/CVE-2017-0199-masterFirst seen Apr 19, 2017
CVE-2017-0199
Open source ↗ - Exploit-DBEDB-41894First seen Apr 18, 2017
Microsoft Word - '.RTF' Remote Code Execution
Open source ↗
Frequently asked(6)
What is CVE-2017-0199?
When was CVE-2017-0199 disclosed?
Is CVE-2017-0199 actively exploited?
What is the CVSS score of CVE-2017-0199?
Which products are affected by CVE-2017-0199?
How do I remediate CVE-2017-0199?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2017-0199
Is Your Infrastructure Affected by CVE-2017-0199?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.