CVE-2017-8759

What Is Microsoft .NET Framework WSDL Processing?

The .NET Framework includes a code generation mechanism for web service clients — when .NET processes a WSDL (Web Services Description Language) file (which describes a SOAP web service's interface), it generates C# or VB code describing the service. This code generation uses the PrintClientProxy function in the System.Runtime.Remoting assembly, which takes WSDL content and turns it into compilable .NET code. CVE-2017-8759 exploits this code generation mechanism: a malicious WSDL document can inject arbitrary C# code into the generated output, which is then compiled and executed.

Overview

CVE-2017-8759 is a code injection vulnerability in the Microsoft .NET Framework's WSDL processing — specifically in the PrintClientProxy method. When .NET processes a crafted WSDL document containing malicious SOAP content, arbitrary code is injected into the generated C# proxy class and executed. This vulnerability was exploited as a zero-day before the September 2017 patch — FireEye reported observing exploitation before the fix was available, with attackers delivering malicious Office documents that triggered .NET WSDL processing. Fixed in the September 2017 Patch Tuesday security update. CISA added CVE-2017-8759 to the KEV catalog in November 2021.

Affected Versions

Multiple .NET Framework versions — see Microsoft Security Advisory for specific affected versions (3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7) on various Windows versions.

Technical Details

Root Cause: Code Injection in WSDL PrintClientProxy

CVE-2017-8759 is a code injection vulnerability (CWE-94) in System.Runtime.Remoting's WSDL processing code. The PrintClientProxy method generates C# code from WSDL to create a client proxy class. When processing a WSDL document, it uses string interpolation that includes WSDL content without sanitization — an attacker can embed valid C# code in the WSDL document structure, and the code generator will include it verbatim in the output, which is then compiled and executed by the .NET runtime.

Attack via Office document: Attackers weaponized CVE-2017-8759 through Office documents that contain an OLE object with a SOAP moniker pointing to a remote URL serving the malicious WSDL. When Office loads the document and processes the OLE object, it calls the .NET WSDL handler, which downloads the attacker's WSDL, injects code into the proxy generation, and executes the injected code — achieving arbitrary code execution in the context of the Office process.

Attack Characteristics

Discovery

CVE-2017-8759 was discovered by FireEye researchers who reported it to Microsoft after observing zero-day exploitation by an APT actor in August/September 2017. The actor delivered malicious RTF documents via spear phishing targeting Russian-speaking users.

Exploitation Context

• Zero-day exploitation by APT: FireEye observed CVE-2017-8759 exploitation before the September 2017 patch by a sophisticated threat actor, delivering a FinFisher (FinSpy) malware variant via spear phishing — the victim received an RTF document, opened it, and the .NET WSDL injection executed the malware payload
• FinFisher/FinSpy delivery: The specific APT campaign exploiting CVE-2017-8759 delivered FinFisher commercial surveillance software, a tool sold to government intelligence agencies; this suggests nation-state involvement
• Document-based delivery ecosystem: CVE-2017-8759 represents one of the dominant 2017 Office document exploitation techniques alongside CVE-2017-0199, CVE-2017-8570, and CVE-2017-11826; threat actors maintained a suite of these vulnerabilities for document-based campaigns
• CISA KEV (2021): Added November 3, 2021 as part of the initial KEV catalog launch, reflecting its historical significance in APT initial access campaigns

Remediation

1. Apply September 2017 .NET Framework updates — install the Microsoft security updates for CVE-2017-8759 from September 2017 Patch Tuesday; modern Windows systems with automatic updates should already be patched.

2. Keep .NET Framework updated — .NET Framework security updates are delivered via Windows Update; ensure Windows Update is enabled and .NET updates are not excluded from deployment.

3. Enable Office Protected View — Protected View prevents untrusted documents from loading OLE objects until the user exits the sandbox; this blocks the document delivery mechanism for CVE-2017-8759.

4. Apply Attack Surface Reduction (ASR) rules — Microsoft Defender ASR rules block Office from spawning child processes and executing scripts, which would limit the impact of OLE-based code injection in Office documents.

5. Block outbound HTTP from Office processes — firewall rules blocking internet access from Office applications (winword.exe, excel.exe) prevent the WSDL download step required for CVE-2017-8759 exploitation — the malicious WSDL must be fetched from a remote server.