Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
CVE-2017-11882
Score elevated to 9.0 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 7.8 retained for reference. Confidence: HIGH.
- Actively exploited in the wild (CISA-KEV)
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 7.8
- EG Score
- 9.0(high)
- EPSS
- 100.0%
- KEV
- ⚠ Exploited
Published
November 15, 2017
Last Modified
April 22, 2026
Advisory Details (10)
Auto-updated May 19, 2026Security Update Guide - Microsoft Security Response Center
Security Update Guide - Microsoft Security Response Center. Patch available via Microsoft Security Update
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882GitHub - rip1s/CVE-2017-11882: CVE-2017-11882 Exploit accepts over 17k bytes long command/code in maximum. · GitHub
https://github.com/unamer/CVE-2017-11882GitHub - rxwx/CVE-2017-11882: Proof-of-Concept exploits for CVE-2017-11882 · GitHub
https://github.com/rxwx/CVE-2017-11882GitHub - embedi/CVE-2017-11882: Proof-of-Concept exploits for CVE-2017-11882 · GitHub
https://github.com/embedi/CVE-2017-11882GitHub - 0x09AL/CVE-2017-11882-metasploit: This is a Metasploit module which exploits CVE-2017-11882 using the POC released here : https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about. · GitHub
https://github.com/0x09AL/CVE-2017-11882-metasploit0patch Blog: Microsoft's Manual Binary Patch For CVE-2017-11882 Meets 0patch
https://0patch.blogspot.com/2017/11/official-patch-for-cve-2017-11882-meets.html0patch Blog: Did Microsoft Just Manually Patch Their Equation Editor Executable? Why Yes, Yes They Did. (CVE-2017-11882)
https://0patch.blogspot.com/2017/11/did-microsoft-just-manually-patch-their.htmlLogdown - Site Maintenance
http://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-without-macros-cve-2017-11882Vendor Advisories for CVE-2017-11882(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 142× in last 7d / 584× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 769 total refreshes for this CVE.
- 2026-07-07 17:16 UTCCISA KEV update
- 2026-07-07 16:22 UTCEG score recompute
- 2026-07-07 16:22 UTCVendor advisory
- 2026-07-07 16:22 UTCGHSA enrichment
- 2026-07-07 12:39 UTCEG score recompute
- 2026-07-07 12:39 UTCVendor advisory
- 2026-07-07 12:39 UTCGHSA enrichment
- 2026-07-07 08:58 UTCEG score recompute
- 2026-07-07 08:58 UTCVendor advisory
- 2026-07-07 08:57 UTCGHSA enrichment
- 2026-07-07 05:15 UTCEG score recompute
- 2026-07-07 05:15 UTCVendor advisory
- 2026-07-07 05:15 UTCGHSA enrichment
- 2026-07-07 01:34 UTCEG score recompute
- 2026-07-07 01:34 UTCVendor advisory
- 2026-07-07 01:34 UTCGHSA enrichment
- 2026-07-06 21:53 UTCEG score recompute
- 2026-07-06 21:53 UTCVendor advisory
- 2026-07-06 21:52 UTCGHSA enrichment
- 2026-07-06 18:10 UTCEG score recompute
- 2026-07-06 18:10 UTCVendor advisory
- 2026-07-06 18:10 UTCGHSA enrichment
- 2026-07-06 14:28 UTCEG score recompute
- 2026-07-06 14:28 UTCVendor advisory
- 2026-07-06 14:28 UTCGHSA enrichment
Show 75 moreShow fewer
- 2026-07-06 10:46 UTCEG score recompute
- 2026-07-06 10:46 UTCVendor advisory
- 2026-07-06 10:46 UTCGHSA enrichment
- 2026-07-06 06:58 UTCEG score recompute
- 2026-07-06 06:58 UTCVendor advisory
- 2026-07-06 06:58 UTCGHSA enrichment
- 2026-07-06 03:17 UTCEG score recompute
- 2026-07-06 03:17 UTCVendor advisory
- 2026-07-06 03:17 UTCGHSA enrichment
- 2026-07-05 23:36 UTCEG score recompute
- 2026-07-05 23:36 UTCVendor advisory
- 2026-07-05 23:36 UTCGHSA enrichment
- 2026-07-05 19:55 UTCEG score recompute
- 2026-07-05 19:55 UTCVendor advisory
- 2026-07-05 19:55 UTCGHSA enrichment
- 2026-07-05 16:14 UTCEG score recompute
- 2026-07-05 16:14 UTCVendor advisory
- 2026-07-05 16:14 UTCGHSA enrichment
- 2026-07-05 12:31 UTCEG score recompute
- 2026-07-05 12:31 UTCVendor advisory
- 2026-07-05 12:31 UTCGHSA enrichment
- 2026-07-05 08:50 UTCEG score recompute
- 2026-07-05 08:50 UTCVendor advisory
- 2026-07-05 08:49 UTCGHSA enrichment
- 2026-07-05 05:08 UTCEG score recompute
- 2026-07-05 05:08 UTCVendor advisory
- 2026-07-05 05:07 UTCGHSA enrichment
- 2026-07-05 01:24 UTCEG score recompute
- 2026-07-05 01:24 UTCVendor advisory
- 2026-07-05 01:24 UTCGHSA enrichment
- 2026-07-04 21:43 UTCEG score recompute
- 2026-07-04 21:43 UTCVendor advisory
- 2026-07-04 21:43 UTCGHSA enrichment
- 2026-07-04 18:02 UTCEG score recompute
- 2026-07-04 18:02 UTCVendor advisory
- 2026-07-04 18:02 UTCGHSA enrichment
- 2026-07-04 14:18 UTCEG score recompute
- 2026-07-04 14:18 UTCVendor advisory
- 2026-07-04 14:18 UTCGHSA enrichment
- 2026-07-04 10:37 UTCEG score recompute
- 2026-07-04 10:37 UTCVendor advisory
- 2026-07-04 10:36 UTCGHSA enrichment
- 2026-07-04 06:53 UTCEG score recompute
- 2026-07-04 06:53 UTCVendor advisory
- 2026-07-04 06:53 UTCGHSA enrichment
- 2026-07-04 03:11 UTCEG score recompute
- 2026-07-04 03:11 UTCVendor advisory
- 2026-07-04 03:11 UTCGHSA enrichment
- 2026-07-03 23:29 UTCEG score recompute
- 2026-07-03 23:29 UTCVendor advisory
- 2026-07-03 23:29 UTCGHSA enrichment
- 2026-07-03 19:48 UTCEG score recompute
- 2026-07-03 19:48 UTCVendor advisory
- 2026-07-03 19:48 UTCGHSA enrichment
- 2026-07-03 16:07 UTCEG score recompute
- 2026-07-03 16:07 UTCVendor advisory
- 2026-07-03 16:07 UTCGHSA enrichment
- 2026-07-03 12:26 UTCEG score recompute
- 2026-07-03 12:26 UTCVendor advisory
- 2026-07-03 12:26 UTCGHSA enrichment
- 2026-07-03 08:43 UTCEG score recompute
- 2026-07-03 08:43 UTCVendor advisory
- 2026-07-03 08:43 UTCGHSA enrichment
- 2026-07-03 05:02 UTCEG score recompute
- 2026-07-03 05:02 UTCVendor advisory
- 2026-07-03 05:02 UTCGHSA enrichment
- 2026-07-03 01:21 UTCEG score recompute
- 2026-07-03 01:21 UTCVendor advisory
- 2026-07-03 01:21 UTCGHSA enrichment
- 2026-07-02 21:39 UTCEG score recompute
- 2026-07-02 21:39 UTCVendor advisory
- 2026-07-02 21:39 UTCGHSA enrichment
- 2026-07-02 17:58 UTCEG score recompute
- 2026-07-02 17:58 UTCVendor advisory
- 2026-07-02 17:58 UTCGHSA enrichment
Publicly available exploits
(10 references)Working exploit code is in the public domain (9 GitHub PoCs) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCRetr0-code/SignHereFirst seen Jan 25, 2021
SignHere is implementation of CVE-2017-11882. SignHere is builder of malicious rtf document and VBScript payloads.
Open source ↗ - Open source ↗GitHub PoClikekabin/CVE-2018-0802_CVE-2017-11882First seen Jan 16, 2018
- GitHub PoCRidter/RTF_11882_0802First seen Jan 12, 2018
PoC for CVE-2018-0802 And CVE-2017-11882
Open source ↗ - GitHub PoCrxwx/CVE-2018-0802First seen Jan 11, 2018
PoC Exploit for CVE-2018-0802 (and optionally CVE-2017-11882)
Open source ↗ - GitHub PoCstarnightcyber/CVE-2017-11882First seen Nov 22, 2017
CVE-2017-11882 exploitation
Open source ↗ - GitHub PoCBlackMathIT/2017-11882_GeneratorFirst seen Nov 21, 2017
CVE-2017-11882 File Generator PoC
Open source ↗ - GitHub PoCrip1s/CVE-2017-11882First seen Nov 21, 2017
CVE-2017-11882 Exploit accepts over 17k bytes long command/code in maximum.
Open source ↗ - GitHub PoCRidter/CVE-2017-11882First seen Nov 21, 2017
CVE-2017-11882 from https://github.com/embedi/CVE-2017-11882
Open source ↗ - GitHub PoC0x09AL/CVE-2017-11882-metasploitFirst seen Nov 21, 2017
This is a Metasploit module which exploits CVE-2017-11882 using the POC released here : https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about.
Open source ↗ - Exploit-DBEDB-43163First seen Nov 20, 2017
Microsoft Office - OLE Remote Code Execution
Open source ↗
Related CVEs(same vendor + same CWE)
Same vendor
10 shownmsrc
- CVE-2006-10003EG 9.8CRITICAL
- CVE-2015-20107NVD 7.6EG 9.8EPSS 93%HIGH
- CVE-2013-7381EG 9.8CRITICAL
- CVE-2014-0048EG 9.8EPSS 93%CRITICAL
- CVE-2007-4559EG 9.8EPSS 98%CRITICAL
- CVE-2013-3900NVD 5.5EG 9.0 KEVEPSS 99%MEDIUM
- CVE-2013-2094NVD 8.4EG 9.0 KEVEPSS 99%HIGH
- CVE-2014-9356EG 8.6EPSS 91%HIGH
- CVE-2014-5282EG 8.1HIGH
- CVE-2014-8141EG 7.8EPSS 94%HIGH
Same CWE
10 shownCWE-119
Frequently asked(6)
What is CVE-2017-11882?
When was CVE-2017-11882 disclosed?
Is CVE-2017-11882 actively exploited?
What is the CVSS score of CVE-2017-11882?
Which products are affected by CVE-2017-11882?
How do I remediate CVE-2017-11882?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2017-11882
Is Your Infrastructure Affected by CVE-2017-11882?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.