CVE-2023-21716 | SentinelOne

CVE-2023-21716 – Microsoft Word Remote Code Execution Vulnerability

Microsoft Word is a popular word-processing program used by millions of people worldwide. Unfortunately, it is also a popular target for attackers due to its wide usage. 

Recently, a vulnerability has been discovered in Microsoft Word that allows attackers to execute arbitrary code on a victim’s computer. 

Details of the CVE-2023-21716 vulnerability

The vulnerability in Microsoft Word exists in the way that the program parses RTF (Rich Text Format) files. Specifically, the program fails to handle font table definitions larger than a certain size properly. This can lead to a buffer overflow condition, which an attacker can then exploit to execute arbitrary code on the victim’s computer.

Impact of CVE-2023-21716

The Impact of this vulnerability is through a specially crafted RTF file that is sent as an email attachment or accessed through a website or file-sharing service. When the user opens the file, the vulnerability in the Microsoft Word software is exploited, allowing the attacker to execute code and potentially take control of the affected system.

In the case of the Preview Pane, the vulnerability can be triggered when a user previews an email message containing the malicious RTF file, even if the user does not open or download the attachment. This is because the Preview Pane automatically renders the content of the email, including any embedded RTF files, which can trigger the exploit.

CVE-2023-21716 – Proof-of-Concept (PoC) code explanation

The following POC code can be used to create a malicious RTF file that exploits this vulnerability:

CVE-2023-21716: POC Code | SentinelOne

The above code will create an RTF document with a large number of fonts that will trigger the vulnerability when opened in Microsoft Word.

To exploit the vulnerability, an attacker would need to craft a malicious RTF document and send it to the victim. Then, the victim would need to open the document using Microsoft Word, triggering the vulnerability and allowing the attacker to execute arbitrary code on the victim’s system.

Exploitation of CVE-2023-21716

To use the POC on Microsoft Word, you can follow the steps below:

  1. Open a text editor like Notepad/Online Notepad or Sublime Text on your system.
  2. Copy and paste the POC code into the text editor.
  3. Save the file with a .py extension, for example, “”.
  4. Open a terminal or command prompt on your system.
  5. Navigate to the directory where you saved the POC code using the “cd” command.
  6. Run the POC code by typing “python” and pressing enter.
  7. The POC will create a file named “tezt.rtf” in the same directory as the POC code.
  8. Opening the file in Microsoft Word triggers a crash, confirming the vulnerability’s existence.

Affected versions of Microsoft Office

The vulnerability affects multiple versions of Microsoft Office, including

  • Microsoft Office
  • Microsoft SharePoint Server Subscription Edition
  • Microsoft 365 Apps for Enterprise
  • SharePoint Server Subscription Edition Language Pack
  • Microsoft Office Online Server
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Enterprise Server 2013 Service Pack 1
  • Microsoft SharePoint Server 2019
  • Microsoft Word
  • Microsoft Office Web Apps Server
  • Microsoft SharePoint Foundation 2013 Service Pack 1

Mitigation guide for CVE-2023-21716

Microsoft has released security patches to address this vulnerability in affected products. Users are advised to update their Microsoft products as soon as possible to protect against this vulnerability.

For those unable to update their products, Microsoft recommends several workarounds to reduce the risk of exploitation. One recommended workaround is to use Microsoft Outlook to reduce the risk of users opening RTF files from unknown or untrusted sources. Users can also configure Microsoft Outlook to read email messages in plain text format to help protect against this vulnerability.

Another recommended workaround is to use the Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources. This can be done by editing the registry or using Group Policy. However, caution must be exercised when using the registry editor, as any incorrect changes can cause serious problems.


In conclusion, this vulnerability in Microsoft Word and other affected products can have serious security implications. Therefore, users are advised to take proactive measures to protect their systems, including installing the latest security updates from Microsoft and implementing recommended workarounds.