HighCISA KEVExploited in the wildPublic exploit

Microsoft Office Malformed EPS File Remote Code Execution

IdentifiersCVE-2015-2545CWE-20

CVE-2015-2545 is a remote code execution vulnerability in Microsoft Office’s handling of Encapsulated PostScript (EPS) content, specifically described in the provided content as an EPS parsing flaw in the EPSIMP32.FLT module. Affected products include Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, and Office 2013 RT SP1. An attacker can embed a specially crafted EPS image in an Office document, including DOC/DOCX or Web Archive/MHTML-based delivery formats, and trigger arbitrary code execution when the document is opened and the malformed EPS is processed. The vulnerability was patched by Microsoft in MS15-099 on 2015-09-08. The content also notes widespread in-the-wild exploitation by multiple threat actors and exploit builders, including use in targeted spearphishing campaigns and exploit-document kits.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary code execution in the context of the user running Microsoft Office. In observed campaigns, this provided initial access for malware delivery, including downloaders, backdoors, and follow-on privilege escalation exploits such as CVE-2015-1701. Operationally, the flaw enabled targeted intrusion activity, host compromise, malware staging, and subsequent persistence, reconnaissance, and lateral follow-on actions depending on the payload delivered.

Mitigation

If you can’t patch tonight, do this now.

Until patching is complete, reduce exposure by blocking or restricting Office documents containing embedded EPS content, especially from untrusted sources. Use email filtering and attachment detonation for spearphishing-delivered Office files, disable or remove EPS rendering support where operationally feasible, and enforce Protected View / application control to limit execution of payloads spawned from Office. Restrict users from opening unsolicited attachments and monitor for Office processes spawning unusual child processes or loading suspicious content from temporary directories.

Remediation

Patch, then assume compromise.

Apply Microsoft security update MS15-099, which fixes CVE-2015-2545. Upgrade affected Microsoft Office installations (Office 2007 SP3, 2010 SP2, 2013 SP1, and 2013 RT SP1) to patched builds. Because the vulnerability was actively exploited in the wild, remediation should include verifying patch deployment across all Office endpoints, especially systems used to open externally received documents.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationOfficeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

ptsecurity globalNews

Oct 26, 2024

Analytics

A specific vulnerability exploited via a malicious MHTML document to deliver the TidePool malware used by APT15.

proofpoint threat insight blogNews

Jun 1, 2017

Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial Institutions | Proofpoint US

A Microsoft Office-related vulnerability advertised as supported by the Microsoft Word Intruder exploit pack.

securelistNews

Dec 14, 2016

Kaspersky Security Bulletin 2016. Review of the year. Overall statistics for 2016

Arbitrary code execution via a specially crafted EPS image file; exploited by multiple APT groups despite being patched in 2015.

securelistNews

May 25, 2016

CVE-2015-2545: overview of current threats

A Microsoft Office remote code execution vulnerability in the EPS (Encapsulated PostScript) parsing/handling component (EPSIMP32.FLT), triggered via specially crafted embedded EPS content in Office documents, enabling arbitrary code execution and noted for bypassing ASLR/DEP in exploit implementations.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence10

Every observed campaign linking this CVE to a named adversary.

Associated malware9

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2015-2545

NVD

nvd.nist.gov/vuln/detail/CVE-2015-2545

MITRE CWE · CWE-20

cwe.mitre.org

Patch

docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-099

Third Party Advisory

blog.morphisec.com/exploit-bypass-emet-cve-2015-2545

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-2545