CVE-2024-7262

What is Kingsoft WPS Office?

WPS Office is a Microsoft Office-compatible productivity suite developed by Kingsoft, widely used across East Asia — particularly in China, South Korea, and Japan — as well as by Chinese diaspora communities globally. It supports .doc, .xls, .ppt, and .pdf formats and includes its own word processor, spreadsheet, and presentation software. WPS Office has a large installed base in regions where Microsoft Office adoption is lower, making it a relevant phishing and exploitation target for APT groups operating in East Asian geopolitical contexts.

Overview

CVE-2024-7262 is a vulnerability in the promecefpluginhost.exe component of WPS Office for Windows that allows a malicious document to cause WPS Office to load an arbitrary Windows DLL file from an attacker-specified path. When a victim opens a specially crafted WPS document, the document can specify a plugin path that causes promecefpluginhost.exe to load and execute a malicious DLL. ESET Research discovered this vulnerability being exploited by APT-C-60 — a South Korea-aligned threat actor — to deploy the SpyGlace backdoor against targets in East Asia. Kingsoft fixed the vulnerability in WPS Office 12.2.0.17119.

Affected Versions

Technical Details

CWE-22 (Path Traversal — used here in the sense of loading a library from an arbitrary path). The promecefpluginhost.exe process in WPS Office handles the loading of browser-based plugin components (using a Chromium Embedded Framework variant). A WPS document can specify a custom plugin path parameter that promecefpluginhost.exe uses to locate and load a DLL. Because this path is taken from document-controlled data without adequate validation or restriction to a safe directory, an attacker who crafts a malicious document can specify an arbitrary DLL path — including a UNC path to a remote SMB share — causing the WPS process to load attacker-controlled code.

The exploit flow:

1. Victim opens a malicious .wps or Office-format document.
2. The document triggers promecefpluginhost.exe with a crafted plugin path.
3. promecefpluginhost.exe loads the attacker-specified DLL.
4. DLL code executes in the context of the WPS process — providing arbitrary code execution.

ESET noted a companion vulnerability CVE-2024-7263 which is a bypass of the initial CVE-2024-7262 fix.

Discovery

Discovered by ESET Research while tracking APT-C-60, a South Korea-aligned threat actor targeting organizations in China, Japan, and other East Asian countries. ESET published a detailed technical analysis of the exploitation chain and the SpyGlace backdoor payload.

Exploitation Context

APT-C-60 used CVE-2024-7262 in targeted spear-phishing campaigns delivering malicious WPS documents to East Asian organizations. The SpyGlace backdoor provides remote access, keylogging, screen capture, and data exfiltration capabilities. The choice of WPS Office as the exploitation vector reflects APT-C-60's focus on East Asian targets, where WPS has significant market share and users may be less accustomed to Office-format document security warnings.

Remediation

1. Update WPS Office for Windows to version 12.2.0.17119 or later — also check for the patch addressing CVE-2024-7263 (a bypass of this fix).
2. Organizations with WPS Office deployments in East Asian offices should treat this update as high priority given the active APT exploitation context.
3. Deploy email security solutions that inspect WPS/Office format documents for known exploitation indicators.
4. Consider whether WPS Office can be replaced with Microsoft 365 or LibreOffice in environments where the East Asia compatibility advantage is not needed.
5. Monitor for promecefpluginhost.exe loading DLLs from unusual paths, particularly UNC paths.