CVE-2022-24934 - How a Registry Change in Kingsoft WPS Office wpsupdater.exe Opens the Door to Remote Code Execution

Kingsoft WPS Office is a popular free office suite, but in early 2022, a big vulnerability was found in one of its components: wpsupdater.exe. This flaw, tracked as CVE-2022-24934, lets attackers run their own code on your computer — simply by changing one entry in the Windows Registry. In this post, I’ll break the bug down in plain English, show you a real code snippet of how it works, and link to more resources for deeper learning.

What’s Going On Here?

TL;DR: The WPS Office updater (wpsupdater.exe) trusts information it reads from the Windows registry for updating itself. If an attacker, or even a malicious local program, edits a certain registry value under your account (HKCU), the updater ends up running whatever file or program the attacker chooses when checking for updates.

Why is this Dangerous?

- Remote Code Execution (RCE): Means someone can run *any* code on your machine as you, without you knowing.
- No Admin Needed: The attack works using only your regular user permissions (no admin rights required).
- Delivered by Phishing or Malware: An attacker could trick you into running a registry-modifying script, then let WPS Office do the rest.

WPS Office uses the following registry key for update settings

HKEY_CURRENT_USER\SOFTWARE\Kingsoft\Office\6.\Common\Update

Inside, there’s a value named UpdateExec.

Normally, this points to the legitimate WPS updater. But it turns out that wpsupdater.exe doesn’t check or validate what’s actually set there. If you or malware change it to, say, C:\Users\Public\HelloHacker.bat, then when the updater next does its thing, it’ll run that batch file instead.

Open cmd.exe as your user and run this

:: Create a harmless payload in your public folder
echo calc.exe > C:\Users\Public\HelloHacker.bat

:: Change the registry to point to your payload
reg add "HKCU\SOFTWARE\Kingsoft\Office\6.\Common\Update" /v UpdateExec /t REG_SZ /d "C:\Users\Public\HelloHacker.bat" /f

Next time WPS Office checks for updates and runs its updater, it will execute your batch file! In this example, the Calculator will pop up — but in a real attack, it could be any malicious script.

How would an Attacker Exploit This?

1. Deliver a Payload: Through phishing, a drive-by download, or even a compromised plugin, the attacker puts a batch file/executable in a known location.
2. Set the Registry Key: Using a simple script or a piece of malware, edit the UpdateExec value under your registry.
3. Wait for WPS Office Updater: As soon as the updater checks for updates — possibly at next login or via scheduled task — boom! The attacker’s code runs under your Windows user account.

Technical References

- Original NVD Entry for CVE-2022-24934
- GitHub PoC - by Ceri Coburn
- Kingsoft Security Update *(Official Notice – Chinese)*

Final Thoughts

CVE-2022-24934 is a textbook case of why applications must treat user-writable configuration very carefully, especially when it involves executing files. With just a registry tweak, attackers can take over the trusted update process. If you use WPS Office, update now and check your registry!

Security isn’t just about patches — it’s also about knowing what’s under the hood. Stay safe and stay updated.

Timeline

Published on: 03/23/2022 22:15:00 UTC
Last modified on: 03/31/2022 16:52:00 UTC