Answer Brief
South Korea's KISA and KrCERT/CC have disclosed a high-severity type confusion vulnerability (CVE-2025-29867) in Hancom Office. The flaw resides in the DOC file processing logic, potentially allowing remote attackers to execute arbitrary code. Users of Hancom Office versions 2018 through 2024 must apply security updates to mitigate risks of system compromise through malicious documents.
Executive Summary: South Korea's KISA and KrCERT/CC have disclosed a high-severity type confusion vulnerability (CVE-2025-29867) in Hancom Office. The flaw resides in the DOC file processing logic, potentially allowing remote attackers to execute arbitrary code. Users of Hancom Office versions 2018 through 2024 must apply security updates to mitigate risks of system compromise through malicious documents.
Why It Matters
The disclosure of CVE-2025-29867 highlights a critical security gap in Hancom Office, a productivity suite that maintains a dominant market share within South Korean government agencies, public institutions, and educational sectors. The vulnerability is classified as a type confusion error, which occurs when a program allocates or uses a resource as one type but later accesses it using a different, incompatible type. In this instance, the flaw is triggered during the parsing of DOC format documents, indicating that the software's input validation mechanisms are insufficient to handle specifically crafted data structures.
From an operational standpoint, this vulnerability presents a high risk because it is delivered via common document files. In many professional environments, opening DOC files is a standard daily task, making it a highly effective delivery vector for phishing or targeted social engineering attacks. Because Hancom Office is the standard for official documentation in Korea, the potential for widespread exploitation across regional infrastructure is significant. A CVSS score of 8.5 underscores the severity, reflecting that the exploit could lead to full system compromise without requiring high administrative privileges.
Technical Signal
Global security teams should take note of this signal, particularly those supporting multinational corporations with South Korean branches or partners. While Hancom Office is less common in North America and Europe, it is an essential component of the software supply chain in East Asia. Compromising a local office through a Hancom vulnerability could serve as a beachhead for lateral movement into global corporate networks. This makes the vulnerability more than just a local concern; it is a potential entry point for advanced persistent threat (APT) groups focusing on the region.
Technically, the issue stems from how Hancom Office 2018 through 2024 handles object types within the legacy DOC format. Type confusion often leads to memory corruption, allowing an attacker to overwrite sensitive memory areas or redirect execution flow to a payload of their choosing. The fact that the vulnerability spans four major release cycles suggests that the underlying logic for document conversion or parsing has remained relatively static, necessitating a comprehensive patch across the entire product lineup.
Operational Impact
For IT and security operations teams, the immediate priority is inventory and patching. Because Hancom Office updates are often managed via a proprietary updater or manual downloads from the Hancom Download Center, automated patch management systems might not catch these versions unless specifically configured. Security teams should prioritize users in finance, administration, and legal departments who handle the highest volume of external documents.
Risk boundaries for this vulnerability are defined by the user's interaction with external files. The vulnerability is not self-propagating but requires a user to open a malicious file. Therefore, standard defensive measures such as email filtering, attachment sandboxing, and endpoint detection and response (EDR) are critical layers of defense. However, the most effective remediation remains the application of the vendor-supplied security patches to close the underlying type confusion flaw.
What To Watch
Moving forward, researchers and defenders should watch for any evidence of active exploitation in the wild, particularly targeting South Korean government or defense entities. The emergence of a public CVE for such a widely used regional office suite often leads to increased interest from threat actors seeking to reverse-engineer the patch and develop functional exploits. Ongoing monitoring of document-based delivery patterns in the region is highly recommended.
Event Type: security
Importance: high
Affected Companies
- Hancom
- KISA
- KrCERT/CC
Affected Sectors
- Cybersecurity
- Public Sector
- Software Development
Key Numbers
- CVSS Score: 8.5
- Affected Major Versions: 4
- Minimum Secure Version (2024): 13.0.0.3050
Timeline
- Original vulnerability disclosure by KISA/KrCERT/CC
- Vulnerability details and CVE-2025-29867 identifier publicized
- Current runtime confirmation of active security advisory status
Frequently Asked Questions
What is the primary risk associated with CVE-2025-29867?
The primary risk is remote code execution (RCE). An attacker can craft a malicious .doc file that exploits a type confusion error during processing. If a user opens this file, the attacker could gain unauthorized control over the system or execute malicious commands.
Which versions of Hancom Office are vulnerable?
Versions of Hancom Office 2018 (below 10.0.0.12681), 2020 (below 11.0.0.8916), 2022 (below 12.0.0.4426), and 2024 (below 13.0.0.3050) are affected by this vulnerability. Users should check their specific build numbers immediately.
How can I mitigate the threat from CVE-2025-29867?
Users should update their software to the latest patched versions provided by Hancom. Mitigation involves downloading the security update from the Hancom Download Center. Organizations should also exercise caution when opening document attachments from untrusted or external sources.