Search
On this page ▾
CVE-2015-2545 — Microsoft Office Malformed EPS File Vulnerability

CVE-2015-2545

Microsoft Office — EPS Image Parser RCE via Crafted PostScript in Document; Exploited by Chinese-Nexus APTs; Microsoft Disabled EPS in Office 2017
⚠️ CVSS 3.1  7.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is EPS in Microsoft Office?

Encapsulated PostScript (EPS) is a vector graphics format derived from Adobe's PostScript language. Microsoft Office supported importing EPS image files into documents — users could insert EPS graphics into Word, PowerPoint, and other Office applications, and Office would render them using a built-in EPS/PostScript interpreter.

EPS files are essentially programs written in the PostScript page description language. The Office EPS interpreter parses and executes these programs to produce rendered images. Because PostScript is a complete programming language, EPS files can be extraordinarily complex — and the Office EPS interpreter, being responsible for parsing complex binary/text programs, provided a significant attack surface.

CVE-2015-2545 is notable because Microsoft ultimately determined the entire EPS feature class was too dangerous to maintain — in April 2017, Microsoft disabled EPS image handling in Office entirely as a security hardening measure, effectively removing the attack surface rather than continuing to patch individual parsing bugs.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 3, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2015-2545 is a remote code execution vulnerability in Microsoft Office's EPS (Encapsulated PostScript) image handling that allows attackers to execute arbitrary code via a crafted EPS image embedded in an Office document. Exploited by Chinese-nexus APT groups (including those tracked as PLATINUM and APT3) in targeted spear-phishing campaigns against South Asian and Southeast Asian government targets. Patched in MS15-099 (September 8, 2015). In April 2017, Microsoft permanently disabled EPS support in Office as a broader security measure.

Affected Versions

Product Status
Microsoft Office 2007 SP3 Vulnerable
Microsoft Office 2010 SP2 Vulnerable
Microsoft Office 2013 / 2013 RT Vulnerable

Fixed in MS15-099 (September 2015). EPS support disabled entirely in April 2017 via security update.

Technical Details

Root Cause: Memory Corruption in EPS/PostScript Parser

CVE-2015-2545 involves memory corruption (CWE-119) in Office's EPS image rendering engine. When Office processes a specially crafted EPS image file embedded in a Word, PowerPoint, or other Office document, the PostScript interpreter encounters a malformed or crafted program element that triggers a buffer overflow or similar memory corruption — writing beyond allocated bounds into adjacent heap memory.

Since EPS is a full programming language, the parser has a large attack surface: crafted PostScript operations can target specific code paths in the interpreter's arithmetic, string handling, or graphics state management.

Attack Delivery

CVE-2015-2545 is delivered via malicious Office documents with embedded EPS images:

  1. Attacker creates a malicious DOC/PPT/XLS file containing a crafted EPS image
  2. Spear-phishing email delivers the file to targeted individuals
  3. User opens the document in Microsoft Office
  4. Office renders the EPS image, triggering the memory corruption
  5. Code execution at user privilege level

The EPS attack is particularly effective because EPS is a legitimate Office feature — security tools may not scan EPS content within documents, and Protected View restrictions apply to the document container but may not prevent EPS rendering.

Attack Characteristics

Attribute Detail
Attack Vector Local — malicious document with embedded EPS image
User Interaction Required (open document)
File Types .doc, .docx, .ppt, .pptx, .xls, .xlsx with EPS images
Root Cause PostScript interpreter memory corruption
Long-Term Fix Microsoft disabled EPS entirely (April 2017)

Discovery

Reported to Microsoft and patched in MS15-099 (September 2015). Security researchers subsequently documented continued exploitation of EPS-based vulnerabilities through 2016–2017, including at least two additional EPS CVEs (CVE-2017-0261 and CVE-2017-0262) before Microsoft removed EPS support entirely.

Exploitation Context

  • Chinese-nexus APT campaigns: CVE-2015-2545 was exploited by at least two Chinese-nexus threat actor clusters in targeted attacks against South Asian government organizations, financial institutions, and defense-related entities in India, Pakistan, and Bangladesh; Microsoft MSTIC and Kaspersky both documented these campaigns
  • EPS attack class persistence: The EPS vulnerability class in Office was repeatedly exploited through 2017 — attackers continued using EPS-based techniques as subsequent CVEs were found; Microsoft ultimately removed EPS support in April 2017 after CVE-2017-0261/0262 again demonstrated active exploitation
  • Bypassing Protected View: The EPS rendering occurred even for documents opened in Protected View in some configurations, bypassing one of Office's key security barriers
  • CISA KEV (2022): Added March 2022

Remediation

CISA BOD 22-01 Deadline: March 24, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply MS15-099 (September 2015). Additionally, apply the April 2017 security update that disables EPS support — this eliminates the entire EPS attack surface.

  2. Disable EPS via registry (if the April 2017 update cannot be applied immediately):

    HKLM\SOFTWARE\Microsoft\Office\Common\Security\DisableEPS = 1

  3. Keep Office current — Microsoft's April 2017 EPS disable and subsequent security updates protect patched systems.

  4. Migrate to Microsoft 365 — Microsoft 365 receives automatic security updates and runs on current, patched Office builds without legacy EPS support.

  5. Email attachment scanning — scan Office documents for embedded EPS content as an additional detection layer.

Key Details

PropertyValue
CVE ID CVE-2015-2545
Vendor / Product Microsoft — Office
NVD Published2015-09-09
NVD Last Modified2025-10-22
CVSS 3.1 Score7.8
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer find similar ↗
CISA KEV Added2022-03-03
CISA KEV Deadline2022-03-24
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-03-24. Apply updates per vendor instructions.

Timeline

DateEvent
2015-09-08Microsoft Security Bulletin MS15-099 released; CVE-2015-2545 patched
2015-09-09CVE-2015-2545 published by NVD
2017-04-11Microsoft disables EPS image support in Office entirely via security advisory 2264072 update
2022-03-03Added to CISA Known Exploited Vulnerabilities catalog
2022-03-24CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2015-2545 Vulnerability Database
CISA KEV Catalog Entry US Government
Microsoft Security Bulletin MS15-099 — Vulnerabilities in Microsoft Office Could Allow Remote Code Execution Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML