# Titles: Microsoft Outlook - Remote Code Execution (RCE)
# Author: nu11secur1ty
# Date: 07/06/2025
# Vendor: Microsoft
# Software: https://www.microsoft.com/en-us/microsoft-365/outlook/log-in
# Reference:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47176 >
https://www.cloudflare.com/learning/security/what-is-remote-code-execution/
# CVE-2025-47176
## Description
This proof-of-concept (PoC) demonstrates the CVE-2025-47176 vulnerability
simulation. It injects a crafted mail item into Outlook containing a
malicious sync path that triggers an action during scanning.
**IMPORTANT:**
This PoC simulates the vulnerable Outlook path parsing and triggers a
**system restart** when the malicious path is detected.
---
## Additional Testing with malicious.prf
You can also test this PoC by importing a crafted Outlook Profile File
(`malicious.prf`):
1. Place `malicious.prf` in the same folder as `PoC.py`.
2. Run Outlook with the import command:
```powershell
& "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE"
/importprf malicious.prf
## Usage
1. Ensure you have Outlook installed and configured on your Windows machine.
2. Run the PoC script with Python 3.x (requires `pywin32` package):
```powershell
pip install pywin32
python PoC.py
```
3. The script will:
- Inject a mail item with the malicious sync path.
- Wait 10 seconds for Outlook to process the mail.
- Scan Inbox and Drafts folders.
- Upon detection, normalize the path and trigger a system restart
(`shutdown /r /t 5`).
---
## Warning
- This script **will restart your computer** after 5 seconds once the
payload is triggered.
- Save all work before running.
- Test only in a controlled or virtualized environment.
- Do **NOT** run on production or important systems.
---
## Files
- `PoC.py` - The Python proof-of-concept script.
- `README.md` - This file.
---
## License
This PoC is provided for educational and research purposes only.
Use responsibly and ethically.
# Video:
[href](https://www.youtube.com/watch?v=nac3kUe_d1c)
# Source:
[href](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47176)
# Buy me a coffee if you are not ashamed:
[href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)
# Time spent:
03:35:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
На нд, 6.07.2025 г. в 10:34 nu11 secur1ty <nu11secur1typentest@gmail.com>
написа:
> # Titles: Microsoft Outlook Remote Code Execution Vulnerability - ACE
> # Author: nu11secur1ty
> # Date: 07/06/2025
> # Vendor: Microsoft
> # Software: https://www.microsoft.com/en-us/microsoft-365/outlook/log-in
> # Reference:
> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47176 >
> https://www.cloudflare.com/learning/security/what-is-remote-code-execution/
> # CVE-2025-47176
>
> ## Description
> This proof-of-concept (PoC) demonstrates the CVE-2025-47176 vulnerability
> simulation. It injects a crafted mail item into Outlook containing a
> malicious sync path that triggers an action during scanning.
>
> **IMPORTANT:**
> This PoC simulates the vulnerable Outlook path parsing and triggers a
> **system restart** when the malicious path is detected.
>
> ---
> ## Additional Testing with malicious.prf
>
> You can also test this PoC by importing a crafted Outlook Profile File
> (`malicious.prf`):
>
> 1. Place `malicious.prf` in the same folder as `PoC.py`.
> 2. Run Outlook with the import command:
>
> ```powershell
> & "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE"
> /importprf malicious.prf
>
>
> ## Usage
>
> 1. Ensure you have Outlook installed and configured on your Windows
> machine.
> 2. Run the PoC script with Python 3.x (requires `pywin32` package):
> ```powershell
> pip install pywin32
> python PoC.py
> ```
> 3. The script will:
> - Inject a mail item with the malicious sync path.
> - Wait 10 seconds for Outlook to process the mail.
> - Scan Inbox and Drafts folders.
> - Upon detection, normalize the path and trigger a system restart
> (`shutdown /r /t 5`).
>
> ---
>
> ## Warning
>
> - This script **will restart your computer** after 5 seconds once the
> payload is triggered.
> - Save all work before running.
> - Test only in a controlled or virtualized environment.
> - Do **NOT** run on production or important systems.
>
> ---
>
> ## Files
>
> - `PoC.py` - The Python proof-of-concept script.
> - `README.md` - This file.
>
> ---
>
> ## License
>
> This PoC is provided for educational and research purposes only.
>
> Use responsibly and ethically.
>
>
> # Reproduce:
> [href](https://www.youtube.com/watch?v=yOra0pm8CHg)
>
> # Source:
> [href](
> https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47176)
>
> # Buy me a coffee if you are not ashamed:
> [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)
>
> # Time spent:
> 03:35:00
>
>
> --
> System Administrator - Infrastructure Engineer
> Penetration Testing Engineer
> Exploit developer at https://packetstormsecurity.com/
> https://cve.mitre.org/index.html
> https://cxsecurity.com/ and https://www.exploit-db.com/
> 0day Exploit DataBase https://0day.today/
> home page: https://www.nu11secur1ty.com/
> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
> nu11secur1ty <http://nu11secur1ty.com/>
>
> На нд, 6.07.2025 г. в 9:53 nu11 secur1ty <nu11secur1typentest@gmail.com>
> написа:
>
>> # Titles: Microsoft Outlook Remote Code Execution Vulnerability - ACE
>> # Author: nu11secur1ty
>> # Date: 07/06/2025
>> # Vendor: Microsoft
>> # Software: https://www.microsoft.com/en-us/microsoft-365/outlook/log-in
>> # Reference:
>> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47176 >
>> https://www.cloudflare.com/learning/security/what-is-remote-code-execution/
>> # CVE-2025-47176
>>
>> ## Description
>> This proof-of-concept (PoC) demonstrates the CVE-2025-47176 vulnerability
>> simulation. It injects a crafted mail item into Outlook containing a
>> malicious sync path that triggers an action during scanning.
>>
>> **IMPORTANT:**
>> This PoC simulates the vulnerable Outlook path parsing and triggers a
>> **system restart** when the malicious path is detected.
>>
>> ---
>> ## Additional Testing with malicious.prf
>>
>> You can also test this PoC by importing a crafted Outlook Profile File
>> (`malicious.prf`):
>>
>> 1. Place `malicious.prf` in the same folder as `PoC.py`.
>> 2. Run Outlook with the import command:
>>
>> ```powershell
>> & "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE"
>> /importprf malicious.prf
>>
>>
>> ## Usage
>>
>> 1. Ensure you have Outlook installed and configured on your Windows
>> machine.
>> 2. Run the PoC script with Python 3.x (requires `pywin32` package):
>> ```powershell
>> pip install pywin32
>> python PoC.py
>> ```
>> 3. The script will:
>> - Inject a mail item with the malicious sync path.
>> - Wait 10 seconds for Outlook to process the mail.
>> - Scan Inbox and Drafts folders.
>> - Upon detection, normalize the path and trigger a system restart
>> (`shutdown /r /t 5`).
>>
>> ---
>>
>> ## Warning
>>
>> - This script **will restart your computer** after 5 seconds once the
>> payload is triggered.
>> - Save all work before running.
>> - Test only in a controlled or virtualized environment.
>> - Do **NOT** run on production or important systems.
>>
>> ---
>>
>> ## Files
>>
>> - `PoC.py` - The Python proof-of-concept script.
>> - `README.md` - This file.
>>
>> ---
>>
>> ## License
>>
>> This PoC is provided for educational and research purposes only.
>>
>> Use responsibly and ethically.
>>
>>
>> # Reproduce:
>> [href](https://www.youtube.com/watch?v=yOra0pm8CHg)
>>
>> # Buy me a coffee if you are not ashamed:
>> [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)
>>
>> # Time spent:
>> 03:35:00
>>
>>
>> --
>> System Administrator - Infrastructure Engineer
>> Penetration Testing Engineer
>> Exploit developer at https://packetstormsecurity.com/
>> https://cve.mitre.org/index.html
>> https://cxsecurity.com/ and https://www.exploit-db.com/
>> 0day Exploit DataBase https://0day.today/
>> home page: https://www.nu11secur1ty.com/
>> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
>> nu11secur1ty <http://nu11secur1ty.com/>
>>
>> --
>>
>> System Administrator - Infrastructure Engineer
>> Penetration Testing Engineer
>> Exploit developer at https://packetstorm.news/
>> https://cve.mitre.org/index.html
>> https://cxsecurity.com/ and https://www.exploit-db.com/
>> 0day Exploit DataBase https://0day.today/
>> home page: https://www.nu11secur1ty.com/
>> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
>> nu11secur1ty <http://nu11secur1ty.com/>
>>
>
>
> --
>
> System Administrator - Infrastructure Engineer
> Penetration Testing Engineer
> Exploit developer at https://packetstorm.news/
> https://cve.mitre.org/index.html
> https://cxsecurity.com/ and https://www.exploit-db.com/
> 0day Exploit DataBase https://0day.today/
> home page: https://www.nu11secur1ty.com/
> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
> nu11secur1ty <http://nu11secur1ty.com/>
>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>