Published: December 13, 2022


Microsoft disclosed a vulnerability in their legacy JScript9 library that attackers have exploited with phishing attachments involving Microsoft Word, Internet Explorer (IE) deprecated but still in use, and Rich Text Format (RTF) files. Known as CVE-2022-41128, this vulnerability is being weaponized by cyber criminals with phishing emails to trick unsuspecting users and to evade detection. A North Korean threat group, APT39, is one of the attackers actively exploiting this vulnerability. Microsoft has now issued a patch that organizations can use to mitigate the CVE-2022-41128 security gap.


Attackers are using legitimate business applications and tools like Word and RTF to escape detection by anti-virus tools or lure users into a false sense of security. The CVE-2022-41128 vulnerability enables attackers using malicious Word documents to execute code remotely in the victim’s environment in what is called Remote Code Execution (RCE). RCE allows a cyber criminal to access someone else’s computer where they can view, change, and delete data as well as create new accounts using the legitimate user’s privileged access rights.

While this vulnerability does not impact Netsurion’s infrastructure or platform, we are providing insights and remediation guidance to our customers, partners, and the industry at large in the spirit of cooperation.


This vulnerability applies to the following use case:

  • Windows Scripting Language Remote Code Execution (RCE) Vulnerability:  CVE-2022-41128

Applicable Versions

This vulnerability has a risk rating of High and 8.8 out of 10.0 severity on the CVSS 3.0 severity scale in the National Vulnerability Database (NVD).

  • Only applications like Microsoft Office which use IE Engine (Javascript Engine)
  • Windows hosts and servers
  • Windows 7 through Windows 11 are impacted
  • Windows Server 2008 through Windows Server 2022 (without the November 2022 security update)

Mitigations / Workarounds

  • Update to the Windows November 2022 patch
  • Further mitigations and workarounds may be released in the future as more insights and active exploits unfold.

Best Practices

This vulnerability is easily exploited using a malicious Microsoft Word document from specific threat actor group APT37. To stay protected against CVE-2022-41128, it is important that organizations patch their devices and systems.

This attack can be avoided by careful scanning of the Microsoft Office document and RTF files, especially when dropped by unknown mail IDs.

Netsurion Detection and Response

At this time, our Netsurion Managed Open XDR security experts have determined that no Netsurion infrastructure, products, or modules have been found to be impacted by CVE-2022-41128. The IoCs have been added to the Netsurion Threat Center so that it can be detected by the Netsurion Security Operations Center (SOC).

Our security experts are closely monitoring IE vulnerabilities for updates and any potential exploits by cyber criminals. We will update this Security Advisory with any future details and attack surface reduction tips.

Indicators of Compromise (IoCs):

Malicious documents:

  • 56ca24b57c4559f834c190d50b0fe89dd4a4040a078ca1f267d0bbc7849e9ed7
  • af5fb99d3ff18bc625fb63f792ed7cd955171ab509c2f8e7c7ee44515e09cebf
  • 926a947ea2b59d3e9a5a6875b4de2bd071b15260370f4da5e2a60ece3517a32f
  • 3bff571823421c013e79cc10793f238f4252f7d7ac91f9ef41435af0a8c09a39
  • c49b4d370ad0dcd1e28ee8f525ac8e3c12a34cfcf62ebb733ec74cca59b29f82

Remote RTF (Rich Text Format) file template:

  • 08f93351d0d3905bee5b0c2b9215d448abb0d3cf49c0f8b666c46df4fcc007cb

Detection by Netsurion Vulnerability Management Service

The Vulnerability Management signature database has been updated with CVE-2022-41128 mitigations. Our Security Operations Center (SOC) will detect and report any related Jscript9 vulnerabilities to our customers and partners who subscribe to Netsurion Vulnerability Management.

Contact your Netsurion Account Manager with any questions.