Microsoft Outlook – Remote Code Execution (RCE)

• CVE-2025-47176

Titles:……

# Titles: Microsoft Outlook – Remote Code Execution (RCE)

# Author: nu11secur1ty

# Date: 07/06/2025

# Vendor: Microsoft

# Software: https://www.microsoft.com/en-us/microsoft-365/outlook/log-in

# Reference:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47176 >

https://www.cloudflare.com/learning/security/what-is-remote-code-execution/

# CVE-2025-47176

## Description

This proof-of-concept (PoC) demonstrates the CVE-2025-47176 vulnerability

simulation. It injects a crafted mail item into Outlook containing a

malicious sync path that triggers an action during scanning.

**IMPORTANT:**

This PoC simulates the vulnerable Outlook path parsing and triggers a

**system restart** when the malicious path is detected.

—

## Additional Testing with malicious.prf

You can also test this PoC by importing a crafted Outlook Profile File

(`malicious.prf`):

1. Place `malicious.prf` in the same folder as `PoC.py`.

2. Run Outlook with the import command:

“`powershell

& “C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE”

/importprf malicious.prf

## Usage

1. Ensure you have Outlook installed and configured on your Windows machine.

2. Run the PoC script with Python 3.x (requires `pywin32` package):

“`powershell

pip install pywin32

python PoC.py

“`

3. The script will:

– Inject a mail item with the malicious sync path.

– Wait 10 seconds for Outlook to process the mail.

– Scan Inbox and Drafts folders.

– Upon detection, normalize the path and trigger a system restart

(`shutdown /r /t 5`).

—

## Warning

– This script **will restart your computer** after 5 seconds once the

payload is triggered.

– Save all work before running.

– Test only in a controlled or virtualized environment.

– Do **NOT** run on production or important systems.

—

## Files

– `PoC.py` – The Python proof-of-concept script.

– `README.md` – This file.

—

## License

This PoC is provided for educational and research purposes only.

Use responsibly and ethically.

# Video:

[href](https://www.youtube.com/watch?v=nac3kUe_d1c)

# Source:

[href](

https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47176)

# Buy me a coffee if you are not ashamed:

[href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)

# Time spent:

03:35:00

—

System Administrator – Infrastructure Engineer

Penetration Testing Engineer

Exploit developer at https://packetstormsecurity.com/

https://cve.mitre.org/index.html

https://cxsecurity.com/ and https://www.exploit-db.com/

0day Exploit DataBase https://0day.today/

home page: https://www.nu11secur1ty.com/

hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=

nu11secur1ty

На нд, 6.07.2025 г. в 10:34 nu11 secur1ty

написа:

> # Titles: Microsoft Outlook Remote Code Execution Vulnerability – ACE

> # Author: nu11secur1ty

> # Date: 07/06/2025

> # Vendor: Microsoft

> # Software: https://www.microsoft.com/en-us/microsoft-365/outlook/log-in

> # Reference:

> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47176 >

> https://www.cloudflare.com/learning/security/what-is-remote-code-execution/

> # CVE-2025-47176

>

> ## Description

> This proof-of-concept (PoC) demonstrates the CVE-2025-47176 vulnerability

> simulation. It injects a crafted mail item into Outlook containing a

> malicious sync path that triggers an action during scanning.

>

> **IMPORTANT:**

> This PoC simulates the vulnerable Outlook path parsing and triggers a

> **system restart** when the malicious path is detected.

>

> —

> ## Additional Testing with malicious.prf

>

> You can also test this PoC by importing a crafted Outlook Profile File

> (`malicious.prf`):

>

> 1. Place `malicious.prf` in the same folder as `PoC.py`.

> 2. Run Outlook with the import command:

>

> “`powershell

> & “C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE”

> /importprf malicious.prf

>

>

> ## Usage

>

> 1. Ensure you have Outlook installed and configured on your Windows

> machine.

> 2. Run the PoC script with Python 3.x (requires `pywin32` package):

> “`powershell

> pip install pywin32

> python PoC.py

> “`

> 3. The script will:

> – Inject a mail item with the malicious sync path.

> – Wait 10 seconds for Outlook to process the mail.

> – Scan Inbox and Drafts folders.

> – Upon detection, normalize the path and trigger a system restart

> (`shutdown /r /t 5`).

>

> —

>

> ## Warning

>

> – This script **will restart your computer** after 5 seconds once the

> payload is triggered.

> – Save all work before running.

> – Test only in a controlled or virtualized environment.

> – Do **NOT** run on production or important systems.

>

> —

>

> ## Files

>

> – `PoC.py` – The Python proof-of-concept script.

> – `README.md` – This file.

>

> —

>

> ## License

>

> This PoC is provided for educational and research purposes only.

>

> Use responsibly and ethically.

>

>

> # Reproduce:

> [href](https://www.youtube.com/watch?v=yOra0pm8CHg)

>

> # Source:

> [href](

> https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47176)

>

> # Buy me a coffee if you are not ashamed:

> [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)

>

> # Time spent:

> 03:35:00

>

>

> —

> System Administrator – Infrastructure Engineer

> Penetration Testing Engineer

> Exploit developer at https://packetstormsecurity.com/

> https://cve.mitre.org/index.html

> https://cxsecurity.com/ and https://www.exploit-db.com/

> 0day Exploit DataBase https://0day.today/

> home page: https://www.nu11secur1ty.com/

> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=

> nu11secur1ty

>

> На нд, 6.07.2025 г. в 9:53 nu11 secur1ty

> написа:

>

>> # Titles: Microsoft Outlook Remote Code Execution Vulnerability – ACE

>> # Author: nu11secur1ty

>> # Date: 07/06/2025

>> # Vendor: Microsoft

>> # Software: https://www.microsoft.com/en-us/microsoft-365/outlook/log-in

>> # Reference:

>> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47176 >

>> https://www.cloudflare.com/learning/security/what-is-remote-code-execution/

>> # CVE-2025-47176

>>

>> ## Description

>> This proof-of-concept (PoC) demonstrates the CVE-2025-47176 vulnerability

>> simulation. It injects a crafted mail item into Outlook containing a

>> malicious sync path that triggers an action during scanning.

>>

>> **IMPORTANT:**

>> This PoC simulates the vulnerable Outlook path parsing and triggers a

>> **system restart** when the malicious path is detected.

>>

>> —

>> ## Additional Testing with malicious.prf

>>

>> You can also test this PoC by importing a crafted Outlook Profile File

>> (`malicious.prf`):

>>

>> 1. Place `malicious.prf` in the same folder as `PoC.py`.

>> 2. Run Outlook with the import command:

>>

>> “`powershell

>> & “C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE”

>> /importprf malicious.prf

>>

>>

>> ## Usage

>>

>> 1. Ensure you have Outlook installed and configured on your Windows

>> machine.

>> 2. Run the PoC script with Python 3.x (requires `pywin32` package):

>> “`powershell

>> pip install pywin32

>> python PoC.py

>> “`

>> 3. The script will:

>> – Inject a mail item with the malicious sync path.

>> – Wait 10 seconds for Outlook to process the mail.

>> – Scan Inbox and Drafts folders.

>> – Upon detection, normalize the path and trigger a system restart

>> (`shutdown /r /t 5`).

>>

>> —

>>

>> ## Warning

>>

>> – This script **will restart your computer** after 5 seconds once the

>> payload is triggered.

>> – Save all work before running.

>> – Test only in a controlled or virtualized environment.

>> – Do **NOT** run on production or important systems.

>>

>> —

>>

>> ## Files

>>

>> – `PoC.py` – The Python proof-of-concept script.

>> – `README.md` – This file.

>>

>> —

>>

>> ## License

>>

>> This PoC is provided for educational and research purposes only.

>>

>> Use responsibly and ethically.

>>

>>

>> # Reproduce:

>> [href](https://www.youtube.com/watch?v=yOra0pm8CHg)

>>

>> # Buy me a coffee if you are not ashamed:

>> [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)

>>

>> # Time spent:

>> 03:35:00

>>

>>

>> —

>> System Administrator – Infrastructure Engineer

>> Penetration Testing Engineer

>> Exploit developer at https://packetstormsecurity.com/

>> https://cve.mitre.org/index.html

>> https://cxsecurity.com/ and https://www.exploit-db.com/

>> 0day Exploit DataBase https://0day.today/

>> home page: https://www.nu11secur1ty.com/

>> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=

>> nu11secur1ty

>>

>> —

>>

>> System Administrator – Infrastructure Engineer

>> Penetration Testing Engineer

>> Exploit developer at https://packetstorm.news/

>> https://cve.mitre.org/index.html

>> https://cxsecurity.com/ and https://www.exploit-db.com/

>> 0day Exploit DataBase https://0day.today/

>> home page: https://www.nu11secur1ty.com/

>> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=

>> nu11secur1ty

>>

>

>

> —

>

> System Administrator – Infrastructure Engineer

> Penetration Testing Engineer

> Exploit developer at https://packetstorm.news/

> https://cve.mitre.org/index.html

> https://cxsecurity.com/ and https://www.exploit-db.com/

> 0day Exploit DataBase https://0day.today/

> home page: https://www.nu11secur1ty.com/

> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=

> nu11secur1ty

>

—

System Administrator – Infrastructure Engineer

Penetration Testing Engineer

Exploit developer at https://packetstorm.news/

https://cve.mitre.org/index.html

https://cxsecurity.com/ and https://www.exploit-db.com/

0day Exploit DataBase https://0day.today/

home page: https://www.nu11secur1ty.com/

hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=

nu11secur1ty