CVE-2022-24934 Overview
CVE-2022-24934 is a remote code execution vulnerability affecting Kingsoft WPS Office through version 11.2.0.10382. The vulnerability exists in the wpsupdater.exe component, which can be exploited by attackers to execute arbitrary code through malicious modification of registry keys under HKEY_CURRENT_USER. This flaw has been associated with advanced persistent threat (APT) activity targeting organizations in specific industry sectors.
Critical Impact
Successful exploitation allows remote attackers to execute arbitrary code on vulnerable systems without authentication, potentially leading to complete system compromise, data theft, and lateral movement within enterprise networks.
Affected Products
- Kingsoft WPS Office versions through 11.2.0.10382
- WPS Office wpsupdater.exe update component
- All platforms running vulnerable WPS Office installations
Discovery Timeline
- 2022-03-23 - CVE-2022-24934 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-24934
Vulnerability Analysis
This vulnerability affects the WPS Office updater component (wpsupdater.exe), which improperly handles registry values under HKEY_CURRENT_USER. The update mechanism trusts user-controllable registry data without proper validation, allowing attackers to inject malicious values that influence the execution path of the updater process. When the updater runs—either automatically or triggered by the user—it reads configuration data from the registry and can be redirected to load and execute attacker-controlled code.
The vulnerability is particularly concerning because it targets the update mechanism, a privileged component that users typically trust. Security researchers at Avast documented this vulnerability being actively exploited in a campaign dubbed "Operation Dragon Castling," where APT actors targeted betting companies in Southeast Asia.
Root Cause
The root cause stems from insufficient input validation in the wpsupdater.exe binary. The updater reads configuration parameters from HKEY_CURRENT_USER registry hives without properly sanitizing or validating these values before using them in execution contexts. Since HKEY_CURRENT_USER can be modified by the current user without elevated privileges, attackers who gain initial access to a system—or trick users into running malicious scripts—can plant registry values that redirect the updater's behavior.
Attack Vector
The attack leverages the network attack vector, though exploitation requires some form of initial access or user interaction to modify registry values. The typical attack flow involves:
- Initial Access: Attacker gains the ability to modify user registry keys through phishing, malicious documents, or other initial compromise vectors
- Registry Manipulation: Malicious values are written to HKEY_CURRENT_USER registry paths monitored by wpsupdater.exe
- Trigger Execution: The WPS Office updater executes (automatically or manually) and reads the poisoned registry values
- Code Execution: The updater loads or executes attacker-controlled code based on the manipulated registry data
According to Avast's analysis of Operation Dragon Castling, this vulnerability was chained with other techniques to deliver sophisticated malware payloads in targeted attacks against organizations in the gambling industry.
Detection Methods for CVE-2022-24934
Indicators of Compromise
- Unexpected modifications to WPS Office-related registry keys under HKEY_CURRENT_USER
- Suspicious child processes spawned by wpsupdater.exe
- Network connections from wpsupdater.exe to non-Kingsoft domains
- Presence of unsigned or suspicious DLLs in WPS Office installation directories
Detection Strategies
- Monitor for registry modifications to WPS Office configuration keys using endpoint detection tools
- Implement application whitelisting to detect unauthorized code execution from update processes
- Deploy behavioral analysis to identify anomalous wpsupdater.exe activity patterns
- Correlate process execution logs with registry modification events for WPS Office components
Monitoring Recommendations
- Enable Windows Security Event logging for registry auditing (Event IDs 4656, 4657, 4663)
- Configure SentinelOne to alert on suspicious process chains involving wpsupdater.exe
- Monitor for DLL side-loading attempts in WPS Office installation directories
- Track outbound network connections from update components to detect C2 communication
How to Mitigate CVE-2022-24934
Immediate Actions Required
- Update WPS Office to the latest version available from the official WPS website
- Audit systems for unauthorized registry modifications in WPS Office configuration paths
- Review endpoint logs for signs of exploitation, particularly suspicious wpsupdater.exe behavior
- Consider temporarily disabling automatic updates until patching is complete
Patch Information
Kingsoft has addressed this vulnerability in versions released after 11.2.0.10382. Organizations should update to the latest WPS Office version available through official channels. Verify update integrity by downloading directly from WPS official resources and validating digital signatures before deployment.
Workarounds
- Restrict write access to WPS Office registry keys using Group Policy or registry permissions
- Implement application control policies to prevent unauthorized code execution from update processes
- Consider using SentinelOne's behavioral AI to detect and block exploitation attempts
- Deploy network segmentation to limit lateral movement if compromise occurs
# Registry permission hardening example (PowerShell)
# Restrict modifications to WPS Office registry keys
$acl = Get-Acl "HKCU:\Software\Kingsoft"
$rule = New-Object System.Security.AccessControl.RegistryAccessRule("Users","SetValue","Deny")
$acl.SetAccessRule($rule)
Set-Acl "HKCU:\Software\Kingsoft" $acl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
