Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a code execution vulnerability in some versions of Microsoft Excel. An
attacker could exploit this vulnerability by tricking the victim into opening a specially crafted XLS file, triggering a use-after-free condition and allowing them to execute remote code on the victim machine. Microsoft disclosed and patched this bug as part of their monthly security update Tuesday. For more on their updates, read the full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Microsoft Office ElementType code execution vulnerability (TALOS-2020-1153/CVE-2020-17123)

An exploitable use-after-free vulnerability exists in Excel as part of Microsoft Office 365 ProPlus x86, version 2002, build 12527.20988. A specially crafted XLS file can cause a use-after-free condition, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that this vulnerability affects Microsoft Excel for Microsoft Office 365 ProPlus x86, version 2002, build 12527.20988.


The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or

Snort Rules: 55748, 55749