PatchSiren cyber security CVE debrief
CVE-2022-24509 Microsoft CVE debrief
A remote code execution vulnerability in Microsoft Office Visio allows an attacker to execute arbitrary code if a user opens a specially crafted file. The vulnerability requires user interaction—typically opening a malicious Visio document. With a CVSS 3.1 score of 7.8 (HIGH), successful exploitation grants high impact across confidentiality, integrity, and availability. The attack vector is local (AV:L), requiring the victim to open a file, with low attack complexity (AC:L) and no privileges required (PR:N), though user interaction is necessary (UI:R). The scope is unchanged (S:U). Microsoft addressed this vulnerability in March 2022 security updates. The CVE record was modified in May 2026, indicating ongoing curation of metadata. No known exploitation in ransomware campaigns has been documented (CISA KEV: not listed).
- Vendor
- Microsoft
- Product
- Microsoft Office 2019
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2022-03-09
- Original CVE updated
- 2026-05-19
- Advisory published
- 2022-03-09
- Advisory updated
- 2026-05-19
Who should care
Organizations running Microsoft Office Visio in enterprise environments, particularly those with users who regularly receive external documents. Security teams responsible for endpoint protection, patch management, and Microsoft 365 security configuration. Incident response teams monitoring for Office-based exploitation patterns.
Technical summary
CVE-2022-24509 is a remote code execution vulnerability in Microsoft Office Visio. Exploitation requires a victim to open a maliciously crafted Visio file, after which the attacker can execute code in the context of the current user. The vulnerability is rated HIGH (CVSS 7.8) due to the potential for complete system compromise if exploited. Microsoft released patches in March 2022. The vulnerability affects Microsoft 365 Apps for Enterprise, Office 2019, and Office LTSC 2021. No public ransomware exploitation has been confirmed. Defensive measures center on patching, attack surface reduction, and user awareness.
Defensive priority
HIGH
Recommended defensive actions
- Apply Microsoft security updates from March 2022 Patch Tuesday to all affected Office/Visio installations.
- Verify Visio file handling restrictions via Microsoft Defender Attack Surface Reduction (ASR) rules, particularly rules blocking Office apps from creating child processes or blocking executable content from email client.
- Enable Protected View for all files originating from the Internet or untrusted locations.
- Deploy application control policies (AppLocker/WDAC) to restrict execution of untrusted code from Office application contexts.
- Conduct user awareness training on recognizing suspicious Visio files and social engineering lures.
- Monitor for anomalous child process creation from VISIO.EXE as potential exploitation indicator.
Evidence notes
CVE published 2022-03-09; modified 2026-05-19. CVSS 3.1 vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Affected products per NVD CPE: Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021. No CISA KEV entry. Microsoft Security Response Center guidance available.
Official resources
-
CVE-2022-24509 CVE record
CVE.org
-
CVE-2022-24509 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2022-03-09