Equation Editor in Microsoft Office 2007

CVE-2018-0802 is a memory-corruption bug in Microsoft Equation Editor (EQNEDT32.EXE) that lets a crafted Office document execute attacker code when a user opens it. The affected population is legacy Office on Windows: Office 2007, Office 2010, Office 2013, and Office 2016 systems that did not receive the January 9, 2018 public updates that removed or neutralized Equation Editor 3.0; Microsoft later documented that Equation Editor 3.0 was removed from all supported versions because of security issues.

Microsoft's original HIGH 7.8 is directionally right, but the operational story is sharper: this is a well-worn initial-access path with public exploit material, KEV status, and repeated use in malspam and targeted campaigns. The main downward pressure is that exploitation still needs *user interaction* and mostly survives today on old, unpatched, or reintroduced legacy Office installs rather than modern fully maintained fleets, so this stays HIGH rather than CRITICAL.

Why this verdict

• KEV and campaign history push it up: CISA KEV status plus repeated use in real phishing campaigns means this is not hypothetical exploitability.
• Public exploit material lowers attacker friction: GitHub PoCs and Check Point's exploit notes make weaponization cheap for both crimeware and targeted actors.
• User-open plus legacy-footprint pull it down from CRITICAL: exploitation requires a victim to open a document and a still-vulnerable Equation Editor install, which implies gaps in patching or unsupported Office usage rather than broad exposure across every endpoint.

Why not higher?

This is not an unauthenticated network service exposed on the internet, and it is not wormable. The exploit chain depends on document delivery, user interaction, and a vulnerable legacy Office component that many mature enterprises removed years ago, so the reachable population is materially smaller than a true edge RCE.

Why not lower?

Calling this MEDIUM would ignore the part that matters: attackers actually use it. Even with user interaction in the chain, a KEV-listed client-side RCE with commodity phishing delivery and public PoCs deserves priority treatment whenever the component is still present.

1. Block EQNEDT32.EXE execution — Use WDAC, AppLocker, or equivalent application control to prevent the legacy Equation Editor from launching. For a HIGH verdict with KEV evidence, do this immediately, within hours as the fastest way to cut the exploit path before full patch cleanup lands.
2. Hunt for and remove legacy Equation Editor — Sweep endpoints for EQNEDT32.EXE in Office install paths and remove or quarantine systems where it still exists. Because Microsoft removed Equation Editor 3.0 in the January 2018 public update, file presence is a strong exposure indicator; start the hunt immediately, within hours.
3. Tighten Office child-process controls — Alert or block on Office spawning EQNEDT32.EXE, cmd.exe, powershell.exe, mshta.exe, schtasks.exe, or curl.exe. This does not replace patching, but it disrupts common second-stage behavior and should be enforced immediately, within hours for exposed fleets.
4. Raise attachment scrutiny for OLE-bearing Office files — Enable detonation, strip risky attachments where business permits, and prioritize detections for documents containing Equation/OLE objects. Because exploitation usually enters via phishing, mail control tuning should be applied immediately, within hours.
5. Prioritize unsupported Office retirement — Any host still vulnerable is likely carrying ancient Office bits or reinstalling deprecated functionality. Put those endpoints on a named remediation track and complete the actual software update or retirement within the HIGH remediation window.

Run this on the target Windows endpoint or via your RMM/EDR live response as an administrator for best coverage, though standard user rights usually work for the file checks. Example: powershell -ExecutionPolicy Bypass -File .\check-cve-2018-0802.ps1; the script reports VULNERABLE if legacy EQNEDT32.EXE is still present, PATCHED if Office is present and the legacy binary is absent, and UNKNOWN if it cannot determine Office presence reliably.

# check-cve-2018-0802.ps1

# Detect likely exposure to CVE-2018-0802 by checking whether legacy Microsoft Equation Editor 3.0

# (EQNEDT32.EXE) is still present on a Windows endpoint. Microsoft documented that Equation Editor

# 3.0 was removed from supported Office versions in the January 2018 Public Update.

#

# Exit codes:

#   0 = PATCHED

#   1 = VULNERABLE

#   2 = UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'

function Get-OfficeInstallHints {
    $hints = @()

    $regPaths = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
    )

    foreach ($rp in $regPaths) {
        Get-ItemProperty $rp | ForEach-Object {
            if ($_.DisplayName -match 'Microsoft Office|Microsoft 365|Office 365|Word|Excel|PowerPoint|Outlook') {
                $hints += [PSCustomObject]@{
                    DisplayName = $_.DisplayName
                    InstallLocation = $_.InstallLocation
                    DisplayVersion = $_.DisplayVersion
                }
            }
        }
    }

    return $hints
}

function Find-Eqnedt32 {
    $candidates = New-Object System.Collections.Generic.List[string]

    $roots = @(
        $env:ProgramFiles,
        ${env:ProgramFiles(x86)},
        "$env:CommonProgramFiles",
        "$env:CommonProgramFiles(x86)"
    ) | Where-Object { $_ -and (Test-Path $_) } | Select-Object -Unique

    foreach ($root in $roots) {
        Get-ChildItem -Path $root -Filter 'EQNEDT32.EXE' -Recurse -Force -ErrorAction SilentlyContinue | ForEach-Object {
            $candidates.Add($_.FullName)
        }
    }

    return $candidates | Select-Object -Unique
}

$officeHints = Get-OfficeInstallHints
$eqnFiles = Find-Eqnedt32

if ($eqnFiles.Count -gt 0) {
    Write-Output 'VULNERABLE'
    Write-Output 'Legacy Equation Editor binary found:'
    foreach ($f in $eqnFiles) {
        try {
            $fi = Get-Item $f
            $ver = $fi.VersionInfo.FileVersion
            Write-Output (" - {0} (FileVersion: {1})" -f $f, $ver)
        } catch {
            Write-Output (" - {0}" -f $f)
        }
    }
    exit 1
}

if ($officeHints.Count -gt 0) {
    Write-Output 'PATCHED'
    Write-Output 'Office appears installed, but EQNEDT32.EXE was not found. This is consistent with the January 2018 public update/removal state.'
    $officeHints | Sort-Object DisplayName -Unique | ForEach-Object {
        $name = $_.DisplayName
        $ver  = $_.DisplayVersion
        if ($ver) {
            Write-Output (" - {0} ({1})" -f $name, $ver)
        } else {
            Write-Output (" - {0}" -f $name)
        }
    }
    exit 0
}

Write-Output 'UNKNOWN'
Write-Output 'Could not reliably determine Office presence and did not find EQNEDT32.EXE. Check nonstandard install paths, VDI image layers, or packaged Office components manually.'
exit 2

Sources

1. NVD CVE-2018-0802
2. Microsoft Support - January 2018 updates for Microsoft Office
3. Microsoft Support - Equation Editor removed in January 2018 Public Update
4. Check Point Research - Many Formulas, One Calc
5. Cisco Talos - Bitter APT adds Bangladesh to their targets
6. Fortinet - Agent Tesla variant spread by crafted Excel document
7. Fortinet - XWorm campaign using CVE-2018-0802
8. GitHub PoC - rxwx/CVE-2018-0802