CVE-2017-11882

What Is the Microsoft Equation Editor?

Microsoft Equation Editor (EQNEDT32.EXE) was a legacy OLE component bundled with Microsoft Office that allowed users to insert and edit mathematical equations in Word documents. The component was first compiled in November 2000 and was never updated with modern security hardening — running without ASLR (Address Space Layout Randomization) or DEP (Data Execution Prevention) protection. It remained bundled with Office versions from Office 2000 through Office 2016. The absence of these mitigations meant that a stack overflow in EQNEDT32.EXE was trivially exploitable without any bypass techniques, making CVE-2017-11882 one of the most reliably exploitable Office vulnerabilities ever discovered.

Overview

CVE-2017-11882 is a stack buffer overflow in the Microsoft Office Equation Editor (EQNEDT32.EXE) that has been one of the most heavily exploited Office vulnerabilities in history. When a user opens an Office document containing a malformed OLE equation object, the 17-year-old EQNEDT32.EXE binary — compiled without modern exploit mitigations — processes the malformed data and overflows its stack, directly executing attacker shellcode. Discovered by Embedi researchers and patched in the November 2017 Patch Tuesday, within days of publication the vulnerability was mass-adopted by hundreds of criminal actor groups and became the dominant vehicle for delivering FORMBOOK, NJRAT, LOKI, and other RATs globally for years. ransomwareUse: true reflects its extensive use in ransomware delivery campaigns. CISA added CVE-2017-11882 to the KEV catalog in November 2021.

Affected Versions

Technical Details

Root Cause: Stack Overflow in Unprotected Legacy Binary

CVE-2017-11882 is a memory buffer vulnerability (CWE-119) — specifically a stack buffer overflow — in EQNEDT32.EXE, the Microsoft Equation Editor component. When Office opens a document containing an OLE equation object, EQNEDT32.EXE is launched as a separate process to handle the equation rendering. The binary processes equation data structures and copies font name strings into a fixed-size stack buffer without bounds checking. An attacker crafts an equation object with an oversized font name that overflows the stack buffer, overwriting the saved return address with a pointer to shellcode.

Why this was uniquely dangerous:

Without ASLR, the shellcode jump target is always the same predictable address. Without DEP, shellcode executes directly on the stack. Without stack canaries, the overflow is not detected before the return address is used. This combination made exploitation completely trivial — no exploit technique sophistication required, working reliably across all Office versions.

Attack chain:

1. Attacker creates a Word/RTF document with a malformed OLE equation object
2. User opens the document; Office launches EQNEDT32.EXE to render the equation
3. EQNEDT32.EXE's stack overflows and executes attacker shellcode
4. Shellcode downloads and executes a payload (RAT, downloader, ransomware dropper)

Attack Characteristics

Discovery

Discovered by Embedi security researchers and reported to Microsoft through coordinated disclosure. Embedi published a detailed technical analysis on November 15, 2017, the day after the patch — within a week, public exploit tools were available and mass phishing campaigns began.

Exploitation Context

• Immediate mass adoption: CVE-2017-11882 set records for rapid criminal adoption — within days of Embedi's publication, dozens of phishing campaigns were delivering documents exploiting the vulnerability; within weeks, virtually every major criminal group and many nation-state actors had incorporated it into their toolkits
• Multi-year exploitation dominance: CVE-2017-11882 remained one of the top exploited vulnerabilities for years after the 2017 patch, consistently appearing in threat intelligence reports through 2020-2021; the ease of exploitation and enormous population of unpatched Office installations kept it highly effective
• Payload diversity: The vulnerability was used to deliver an extraordinary range of malware — FORMBOOK, NJRAT, AZORULT, LOKI Bot, AgentTesla, Remcos RAT, Lokibot, TrickBot, Emotet, and numerous ransomware families; virtually any malware campaign targeting Windows users considered using CVE-2017-11882 as a delivery mechanism
• Ransomware delivery: The ransomwareUse: true flag reflects that ransomware groups (including those distributing Ryuk, GandCrab, and others) used CVE-2017-11882 as a delivery mechanism via phishing campaigns targeting businesses
• Office 365 EQNEDT32 removal: Microsoft's permanent removal of EQNEDT32.EXE from Office 365 in January 2018 — rather than just patching it — acknowledged that the 17-year-old binary was fundamentally too old to secure; this was the right decision, eliminating the entire attack surface
• CISA KEV (2021): Added November 3, 2021 in the initial KEV batch; one of the most documented and exploited vulnerabilities in Office history

Remediation

1. Apply November 2017 Office security update — install the November 14, 2017 security update for all Office versions (2007, 2010, 2013, 2016). This is one of the most critical Office patches ever released.

2. Remove or disable Equation Editor — even after patching, organizations that don't use the Equation Editor should remove EQNEDT32.EXE:

   reg add "HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400
   

3. Enable Protected View — ensure Protected View is active for email attachments and downloaded documents; Protected View's sandbox prevents the equation object from rendering and triggering the overflow.

4. Deploy Attack Surface Reduction rules — the ASR rule "Block Office applications from creating child processes" prevents EQNEDT32.EXE from being launched by Word/Excel to process embedded objects.

5. Migrate to Office 365 / Microsoft 365 — Office 365 (post-January 2018 update) has EQNEDT32.EXE permanently removed; upgrading from perpetual Office 2007-2016 closes this attack surface entirely.