CVE-2018-6400 in WPS Office Free
Summary
by MITRE
Kingsoft WPS Office Free 10.2.0.5978 allows local users to gain privileges or cause a denial of service by impersonating all the pipes through a use of \\.\pipe\WPSCloudSvr\WpsCloudSvr -- an "insecurely created named pipe." Ensures full access to Everyone users group.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/17/2026
The vulnerability identified as CVE-2018-6400 resides within Kingsoft WPS Office Free version 10.2.0.5978 and represents a critical privilege escalation flaw stemming from improper named pipe creation. This issue manifests through the insecure creation of a named pipe at the path \.\pipe\WPSCloudSvr\WpsCloudSvr which is subsequently accessible to all users within the Everyone group. The flaw operates at the operating system level where Windows named pipes are created without appropriate security descriptors, allowing local attackers to establish malicious connections to this pipe and potentially execute arbitrary code with elevated privileges.
The technical implementation of this vulnerability exploits the fundamental Windows security model where named pipes can be created with default security attributes that grant broad access permissions. When WPS Office creates the named pipe WPSCloudSvr without explicitly setting restrictive access control lists, it inadvertently exposes a communication channel that can be intercepted or manipulated by local users. This insecure pipe creation pattern falls under the category of weak permissions and improper access control mechanisms, directly correlating with CWE-276 which addresses improper permissions for critical resources.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass potential system compromise and denial of service conditions. An attacker with local access can leverage this weakness to impersonate legitimate pipe communications and potentially inject malicious payloads into the WPS Office process. The exposure to the Everyone group means that even unprivileged users can establish connections to the pipe, creating a pathway for privilege elevation attacks that could ultimately allow full system compromise. This vulnerability particularly affects enterprise environments where multiple users share systems and could enable attackers to escalate privileges without requiring additional authentication vectors.
Mitigation strategies for CVE-2018-6400 should focus on immediate patching of the affected WPS Office version and implementation of proper named pipe security controls. Organizations must ensure that all named pipe creation operations include explicit security descriptors that restrict access to authorized users only, following the principle of least privilege. System administrators should implement monitoring for unauthorized pipe access attempts and consider deploying application whitelisting solutions to prevent exploitation. The vulnerability demonstrates the critical importance of secure coding practices in Windows application development and aligns with ATT&CK technique T1068 which covers privilege escalation through local exploitation of system vulnerabilities. Additionally, this issue highlights the necessity for regular security assessments of third-party applications and their interaction with system-level resources, particularly in enterprise environments where software diversity increases attack surface complexity.