Description
Untrusted search path in Microsoft Office allows an unauthorized attacker to execute code locally.
Published: 2026-01-13
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Untrusted search path flaw in Microsoft Office allows an attacker who can place a malicious executable in a directory that appears before the legitimate Office binaries in the system’s PATH to have that executable run under the context of the Office application. This results in arbitrary code execution locally on the machine, using the privileges of the account that launches the Office program. The description does not claim elevation beyond local privileges or data exfiltration.

Affected Systems

Affected Microsoft Office 2016 on both 32‑bit (x86) and 64‑bit (x64) architectures, the Office Deployment Tool, and Microsoft SharePoint Server 2016 Enterprise, SharePoint Server 2019, and SharePoint Server Subscription Edition. All versions that rely on the Office installation directory and system path are susceptible if the affected paths are not secured.

Risk and Exploitability

With a CVSS v3.1 score of 7.0 the vulnerability is classified as medium‑to‑high severity. The EPSS score of less than 1 % indicates a very low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is local; an attacker must have write access to a directory that is searched before the Office binaries or be able to manipulate the system path. The limited exploitation requirements reduce overall risk, but the potential for arbitrary code execution makes prompt remediation important.

Generated by OpenCVE AI on April 16, 2026 at 18:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest security update for Microsoft Office 2016, the Office Deployment Tool, and all supported SharePoint Server releases from Microsoft Update.
  • Review and reconfigure the system PATH and Office installation directories to ensure that only trusted, fully-qualified paths are searched; remove any user‑writable directories that appear earlier in the search order.
  • Apply file‑system permissions that restrict write access to the Office installation directories and any directories that the system references during Office startup, allowing modification only for privileged administrators.

Generated by OpenCVE AI on April 16, 2026 at 18:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Title Microsoft Office Click-To-Run Elevation of Privilege Vulnerability Microsoft Office Click-To-Run Remote Code Execution Vulnerability

Fri, 16 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office Deployment Tool
CPEs cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_deployment_tool:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*
Vendors & Products Microsoft office Deployment Tool

Wed, 14 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description Untrusted search path in Microsoft Office allows an unauthorized attacker to execute code locally.
Title Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft office
Microsoft office 2016
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-426
CPEs cpe:2.3:a:microsoft:office:*:*:Deployment_Tool:*:*:*:*:*
cpe:2.3:a:microsoft:office_2016:*:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft office
Microsoft office 2016
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Office Office 2016 Office Deployment Tool Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:48:55.072Z

Reserved: 2025-12-04T20:04:16.338Z

Link: CVE-2026-20943

cve-icon Vulnrichment

Updated: 2026-01-13T19:32:50.456Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T18:16:21.687

Modified: 2026-01-16T16:14:34.970

Link: CVE-2026-20943

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:30:10Z

Weaknesses