CVE-2024-7262 is a critical security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) affecting Kingsoft WPS Office on Windows platforms, specifically versions from 12.2.0.13110 up to but excluding 12.2.0.16412. The flaw exists in the promecefpluginhost.exe process, which fails to properly validate file paths, enabling an attacker to perform a path traversal attack. This allows the attacker to load arbitrary Windows dynamic link libraries (DLLs) by manipulating the pathname input. The vulnerability is exploited via a maliciously crafted spreadsheet document that, when opened and interacted with by a user (single-click), triggers the loading of unauthorized libraries, potentially leading to remote code execution. The CVSS 4.0 vector indicates local attack vector (AV:L) but with low attack complexity (AC:L), no privileges required (PR:N), and user interaction required (UI:P). The impact on confidentiality, integrity, and availability is rated high, reflecting the potential for full system compromise. Although no public exploits have been reported yet, the vulnerability's characteristics and weaponization in deceptive documents suggest a high risk of exploitation. The lack of available patches at the time of reporting necessitates immediate risk mitigation strategies.

For European organizations, the impact of CVE-2024-7262 is significant due to the widespread use of Kingsoft WPS Office as an alternative productivity suite, especially in enterprises and government agencies seeking cost-effective solutions. Successful exploitation can lead to arbitrary code execution with the privileges of the user opening the malicious document, potentially resulting in data theft, installation of persistent malware, lateral movement within networks, and disruption of business operations. Confidentiality is at risk as attackers may access sensitive documents and credentials. Integrity and availability can be compromised through system manipulation or denial of service. The requirement for user interaction via a deceptive spreadsheet increases the risk in environments where users frequently exchange documents or where phishing defenses are weak. Given the critical severity and ease of exploitation, organizations face a high risk of targeted attacks or opportunistic exploitation campaigns.

1. Immediately audit and inventory all installations of Kingsoft WPS Office to identify affected versions (12.2.0.13110 up to 12.2.0.16412 exclusive). 2. Apply vendor patches or updates as soon as they become available; monitor Kingsoft’s official channels for patch releases. 3. Until patches are available, restrict execution privileges of promecefpluginhost.exe using application control policies to limit DLL loading from untrusted directories. 4. Employ endpoint detection and response (EDR) solutions to monitor for anomalous DLL loads or process behaviors related to WPS Office. 5. Implement strict email and document filtering to block or quarantine suspicious spreadsheet attachments, especially from unknown or untrusted sources. 6. Conduct user awareness training focused on the risks of opening unsolicited or unexpected documents and recognizing phishing attempts. 7. Use sandboxing or isolated environments for opening documents from external sources to contain potential exploitation. 8. Consider network segmentation to limit lateral movement if a compromise occurs. 9. Regularly review and update incident response plans to include scenarios involving exploitation of office suite vulnerabilities.