HIGH 7.0

CVE-2026-47293: Microsoft Office Click-To-Run Privilege Escalation Vulnerability

A use-after-free vulnerability exists in Microsoft Office's Click-To-Run installation and update mechanism. An attacker with valid credentials on a local machine can exploit a memory management flaw to gain elevated (administrator) privileges. This is not a remote vulnerability—it requires an authorized user account and local access—but the privilege escalation risk makes it a meaningful threat in environments where credential compromise or insider activity is a concern.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.0 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-416
Affected products
8 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Use after free in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability (CWE-416: Use After Free) resides in the Click-To-Run deployment infrastructure used by Microsoft 365 Apps and Office desktop editions. Click-To-Run manages application lifecycle, updates, and repair operations with elevated privileges. A flaw in memory allocation and deallocation during one of these operations allows an authenticated, unprivileged user to reference freed memory, leading to code execution in a privileged context. The CVSS 3.1 score of 7.0 (HIGH) reflects high confidentiality, integrity, and availability impact, but requires low privileges and a higher attack complexity on the local attack surface.

Business impact

Successful exploitation enables privilege escalation from a standard user to administrator on affected Office installations. This can facilitate lateral movement within the network, unauthorized access to sensitive documents, tampering with Office configurations, installation of persistence mechanisms, or data exfiltration. In environments where Office is widely deployed and user account hygiene varies, this represents a meaningful post-compromise risk that could amplify the impact of credential theft, phishing, or other account compromise scenarios.

Affected systems

Microsoft Office Click-To-Run is the default deployment mechanism for Microsoft 365 Apps, Office 2021, and Office 2024. This affects both subscription-based Microsoft 365 deployments and perpetual license versions. Organizations running any of these editions—whether on Windows 10, Windows 11, or Windows Server—should assume their installations are in scope until patches are applied. The vulnerability does not affect Office versions using traditional MSI installation.

Exploitability

Exploitation requires an attacker to possess valid login credentials and local machine access. The attack complexity is rated as high, meaning successful exploitation requires specific conditions or timing. There is no indication of public exploit code or active in-the-wild exploitation as of the vulnerability's publication date. However, the local-only nature and credential requirement make this particularly relevant in scenarios involving disgruntled insiders, compromised user accounts, or physical device access—not random internet-facing attacks.

Remediation

Microsoft has issued security updates for all affected Office versions. Organizations should apply patches to Microsoft 365 Apps and Office 2021/2024 installations as part of standard update cycles. For Microsoft 365 Apps, updates are often deployed automatically; verify that automatic updates are enabled and that devices have checked in recently. For on-premises Office editions, patches must be applied through Windows Update, Microsoft Update, or the Office deployment toolkit. Test patches in a lab environment before broad rollout to ensure compatibility with organizational customizations.

Patch guidance

Consult Microsoft's official security advisory for CVE-2026-47293 to identify specific patch versions for each affected product version. Microsoft 365 Apps typically receive cumulative monthly updates; ensure devices are configured to receive updates promptly. Office 2021 and 2024 require explicit patching through Windows Update or WSUS. Verify patch deployment status using your organization's device management platform (Intune, Configuration Manager, or third-party tools). Once patched, the use-after-free condition is eliminated and privilege escalation via this vector is prevented.

Detection guidance

Monitor Windows Event Logs on Office-running systems for suspicious Click-To-Run process behavior, particularly unexpected elevation attempts or unusual parent-child process chains involving OfficeClickToRun.exe or related installers. Endpoint Detection and Response (EDR) solutions should flag unusual memory access patterns or heap corruption indicators during Office update or repair operations. Check for unauthorized local administrator account creation shortly after Office updates. Because exploitation requires local access and credentials, focus detection on anomalous lateral movement or privilege escalation chains that follow account compromise alerts. Audit successful privilege elevation attempts on systems where the vulnerability remains unpatched.

Why prioritize this

This vulnerability merits urgent attention because it enables straightforward privilege escalation from standard user to administrator on widely deployed Office installations. Although it requires local access and valid credentials, the combination of those factors is common in enterprise environments affected by phishing, password reuse, or insider threats. Organizations with high sensitivity to post-compromise privilege escalation, strong endpoint monitoring, or compliance requirements for rapid patching should treat this as a near-term priority. The HIGH CVSS score and prevalence of Click-To-Run installations justify prioritization alongside other active high-severity flaws.

Risk score, explained

CVE-2026-47293 receives a CVSS 3.1 score of 7.0 (HIGH) based on the following factors: local attack vector (AV:L) limits exposure to device-local attackers; low privilege requirement (PR:L) reflects that standard users can trigger the vulnerability; high attack complexity (AC:H) indicates exploitation requires specific conditions; however, full impact across confidentiality, integrity, and availability (C:H/I:H/A:H) results from the ability to execute arbitrary code as administrator. The score appropriately balances the severity of privilege escalation against the practical barriers to exploitation. The absence of KEV listing and active exploitation reporting does not reduce the intrinsic severity, but may lower tactical urgency relative to actively weaponized vulnerabilities.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. CVE-2026-47293 is a local privilege escalation vulnerability that requires the attacker to have valid credentials and interactive access to the machine. It cannot be exploited over the network from a remote attacker without first compromising a user account or gaining local physical access.

Which Office installations are most at risk?

Microsoft 365 Apps (the subscription version), Office 2021, and Office 2024 are all affected if they use Click-To-Run deployment. Traditional MSI-based Office installations are not vulnerable. Check your organization's Office deployment method; Microsoft 365 Apps on most Windows machines use Click-To-Run by default.

What should I prioritize: patching Office or other high-severity vulnerabilities?

Patching should be part of your regular update cadence. If you have limited remediation resources, compare this CVE against actively exploited vulnerabilities in your environment (e.g., those on CISA's KEV list). However, given the privilege escalation impact and prevalence of Office, delaying patches for months is not advisable. Aim to patch within 30 days unless mitigations (such as restricting local user privileges or enforcing MFA) are in place.

How can I verify if my organization's Office instances are patched?

Use your device management platform (Intune, Configuration Manager, etc.) to query Office versions and patch levels across your fleet. For Microsoft 365 Apps, check the 'About' dialog in any Office application (e.g., Word) to view the current build number. Cross-reference that build against Microsoft's security advisory for CVE-2026-47293 to confirm it includes the relevant patch. Unpatched devices should be flagged for immediate update.

This analysis is provided for informational purposes. While we have taken care to ensure accuracy, organizations should verify all patch versions, affected product lists, and remediation steps against official Microsoft security advisories and their own system inventories. No exploit code or weaponization details are provided. This vulnerability requires local access and valid credentials; it does not affect internet-facing attack surface. Organizations should assess their specific risk posture, endpoint visibility, and credential hygiene before determining patch priority. SEC.co does not warrant the completeness or accuracy of third-party vulnerability data or CVE metadata; always consult authoritative vendor guidance for definitive information. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).