There is now a proof-of-concept (PoC) exploit available for CVE-2023-21716, a serious RCE flaw in Microsoft Word that can be used when a user previews a carefully constructed RTF document. Microsoft last month provided patches for the bug, which affects numerous MS Office and SharePoint versions, Microsoft 365 Apps for Business, and other products.
It is a heap corruption flaw in the RTF parser in Microsoft Word that, if exploited, enables attackers to execute remote code with the victim’s privileges. The vulnerability allows attackers to easily transmit a booby-trapped RTF file to the victim(s) over email without the need for prior authentication.