The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-7263

CVE-2024-7263: Kingsoft WPS Office Path Traversal Flaw

CVE-2024-7263 is a path traversal vulnerability in Kingsoft WPS Office promecefpluginhost.exe that allows attackers to load arbitrary Windows libraries. This article covers technical details, affected versions, and mitigation.

Updated: January 22, 2026

CVE-2024-7263 Overview

CVE-2024-7263 is an improper path validation vulnerability in promecefpluginhost.exe within Kingsoft WPS Office. This vulnerability affects WPS Office versions ranging from 12.2.0.13110 to 12.2.0.17115 (exclusive) on Windows systems and allows an attacker to load an arbitrary Windows library. Notably, the patch released in version 12.1.0.17119 to address CVE-2024-7262 was not restrictive enough—another parameter was not properly sanitized, which leads to the execution of an arbitrary Windows library.

Critical Impact

This vulnerability enables arbitrary library loading, potentially allowing attackers to execute malicious code on affected systems through improper path validation bypass.

Affected Products

  • Kingsoft WPS Office versions 12.2.0.13110 to 12.2.0.17115 (exclusive)
  • Microsoft Windows operating systems running affected WPS Office versions

Discovery Timeline

  • August 15, 2024 - CVE-2024-7263 published to NVD
  • April 24, 2025 - Last updated in NVD database

Technical Details for CVE-2024-7263

Vulnerability Analysis

This vulnerability stems from insufficient input validation in the promecefpluginhost.exe component of Kingsoft WPS Office. The flaw is classified as CWE-22 (Path Traversal), where improper handling of path parameters allows attackers to bypass security restrictions and load arbitrary Windows libraries.

The vulnerability represents an incomplete fix for the previously disclosed CVE-2024-7262. While the original patch attempted to sanitize input parameters, it failed to adequately restrict all potentially dangerous parameters. This oversight means that attackers who were aware of CVE-2024-7262 could analyze the patch and identify an alternative exploitation path through the unsanitized parameter.

The local attack vector requires user interaction, typically achieved through social engineering tactics such as convincing a user to open a malicious document or click a specially crafted link. Once triggered, the vulnerability allows loading of attacker-controlled DLL files, leading to arbitrary code execution within the context of the WPS Office process.

Root Cause

The root cause of CVE-2024-7263 lies in incomplete input sanitization within the promecefpluginhost.exe executable. While Kingsoft addressed one vulnerable parameter in their initial patch for CVE-2024-7262, they failed to identify and sanitize an additional parameter that could be manipulated to achieve the same malicious outcome—loading arbitrary Windows libraries. This represents a common pattern in vulnerability remediation where patch coverage is insufficient to address all potential attack vectors.

Attack Vector

The attack requires local access and user interaction to exploit. An attacker can craft a malicious document or leverage other social engineering techniques to trigger the vulnerability. When a user opens the malicious content, the improperly validated path parameter in promecefpluginhost.exe allows the attacker to specify and load a malicious DLL from an arbitrary location. This arbitrary library loading effectively grants the attacker code execution capabilities with the same privileges as the WPS Office process.

The exploitation mechanism involves manipulating path parameters to bypass the application's intended library loading restrictions. Due to insufficient validation, specially crafted path strings can traverse directories or reference attacker-controlled locations, enabling the loading of malicious Windows DLL files.

Detection Methods for CVE-2024-7263

Indicators of Compromise

  • Unusual DLL loading activity by promecefpluginhost.exe from non-standard directories
  • Suspicious process behavior from WPS Office components attempting to access unexpected file paths
  • Evidence of path traversal sequences in process arguments or file access logs
  • Unexpected child processes spawned by WPS Office executables

Detection Strategies

  • Monitor promecefpluginhost.exe for abnormal library loading patterns, particularly DLLs loaded from user-writable directories
  • Implement application whitelisting to detect unauthorized DLL loading attempts
  • Deploy endpoint detection rules to identify path traversal patterns in WPS Office process arguments
  • Analyze file access logs for suspicious path manipulation attempts targeting WPS Office components

Monitoring Recommendations

  • Enable enhanced process creation logging to capture command-line arguments for WPS Office executables
  • Configure DLL load monitoring on endpoints running affected WPS Office versions
  • Establish baseline behavior for promecefpluginhost.exe to identify anomalous activity
  • Implement file integrity monitoring for WPS Office installation directories

How to Mitigate CVE-2024-7263

Immediate Actions Required

  • Update Kingsoft WPS Office to version 12.2.0.17119 or later immediately
  • Audit systems for vulnerable WPS Office installations and prioritize patching
  • Restrict user permissions to minimize the impact of potential exploitation
  • Educate users about the risks of opening untrusted documents

Patch Information

Kingsoft has released a security update to address this vulnerability. Users should update to WPS Office version 12.2.0.17119 or later, which includes proper sanitization for the previously vulnerable parameter. For detailed patch information, refer to the WPS Security Update Announcement.

Workarounds

  • Implement application control policies to restrict DLL loading from non-standard locations
  • Use endpoint protection solutions to monitor and block suspicious library loading behavior
  • Consider temporarily uninstalling or disabling WPS Office on critical systems until patching is complete
  • Deploy network segmentation to limit potential lateral movement if exploitation occurs
bash
# Configuration example - Verify WPS Office version on Windows
# Run in Command Prompt or PowerShell to check installed version
wmic product where "name like 'WPS Office%%'" get name,version

# PowerShell alternative for version verification
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | Where-Object {$_.DisplayName -like "*WPS Office*"} | Select-Object DisplayName,DisplayVersion

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePath Traversal
  • Vendor/TechKingsoft Wps Office
  • SeverityCRITICAL
  • CVSS Score9.3
  • EPSS Probability0.13%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityHigh
  • AvailabilityHigh
  • CWE References
  • CWE-22
  • Vendor Resources
  • WPS Security Update Announcement
  • Related CVEs
  • CVE-2024-7262: Kingsoft WPS Office Path Traversal Flaw
  • CVE-2023-31275: Kingsoft WPS Office RCE Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English