Microsoft Office Online Server: Unfixed RCE vulnerability

[German]As of November 8, 2022, Microsoft has released security updates for its Office Online servers to close vulnerabilities in Word and Excel. According to my information, a vulnerability exists (Server-Side Request Forgery, SSRF, to RCE, Remote Code Execution) that Microsoft does not want to eliminate.


Office Online Server is the next generation of the Office Web Apps Server. Office Online Server provides browser-based versions of Word, PowerPoint, Excel and OneNote. A single Office Online Server farm can support users accessing Office files through SharePoint Server, Exchange Server, shared folders and Web sites. The product can integrate with SharePoint to provide web-based access to these documents within SharePoint.

Security updates Nov. 2022

II had also listed the two security updates for Microsoft Office Online Server in the blog post Patchday: Microsoft Office Updates (November 8, 2022):

Both updates address the following vulnerabilities:

However, not all known vulnerabilities in Microsoft Office Online Server are fixed.

Unfixed vulnerability

I already came across the following tweet from Will Dormann some time ago, which points out the issue. It is about an RCE vulnerability that is not supposed to be fixed.


Unfixed vulnerability in Microsoft Office Online Server

Security experts at MDSec have discovered a server-side request forgery vulnerability, which can be exploited under the right conditions to achieve remote code execution on Office Online Server itself, during a routine penetration test.

The /op/view.aspx endpoint in Office Online Server is intended to be used to retrieve Office documents from remote resources and display them in the browser. The endpoint is affected by classic server-side request forgery, where a connection is initiated by the application by specifying an HTTP(s) or UNC location. All Office Online Server versions up to and including 16.0.10338.20039 are affected.

The team reported the vulnerability in Microsoft Office Online Server to the Microsoft MSRC, which deemed the remote code execution (RCE) critical. The Microsoft Security Response Center looked into the matter and replied that they would not fix this vulnerability. The security researchers at MDSec have since made the details of the vulnerability public in the blog post Microsoft Office Online Server Remote Code Execution.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Cloud, Office, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *