# Titles: CVE-2025-49702 - Office Macro Callback PoC (For Authorized Security Testing Only) # Author: nu11secur1ty # Date: 07/23/2025 # Vendor: Microsoft # Software: https://www.microsoft.com/en-us/windows/windows-11?r=1 # Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-49702 # Base Score: 7.8 HIGHVector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ## 📝 Overview This repository demonstrates a **proof-of-concept (PoC)** for simulating an Office document (`.docm`) that contains a macro, which performs a simple HTTP callback to a server when the document is opened. This is intended for use in **authorized red team simulations**, malware research, or macro behavior analysis in a controlled lab environment. > ❗ **DISCLAIMER**: This PoC is intended strictly for ethical and legal use. Do not use it without explicit permission and scope. Misuse may violate laws or organizational policy. ## 📂 Components - `callback_macro.docm`: Auto-executing Word macro document. - `server.py`: Python HTTP server that: - Hosts the `.docm` file - Logs incoming callbacks - Records victim IP/User-Agent/etc. in `callback.txt` - `README.md`: Documentation (this file) ## 🛠 Requirements - Python 3.x - `pywin32` (for Word automation on Windows) - Microsoft Word installed (to generate `.docm` file) ## ⚙️ Setup Instructions 1. Install Python dependencies: ```bash pip install pywin32 ``` 2. Run the server to generate the macro file and listen for callbacks: ``` CVE-2025-49702.py ``` 3. Share the link (e.g. http://<your_ip>:8000/callback_macro.docm) with the target (within legal scope only). 4. Once the document is opened by the target: - A callback is triggered to http://<your_ip>:8000/callback - Info is logged in callback.txt (IP, User-Agent, etc.) 🧪 Example Callback Log ``` [*] Callback received from victim! IP: 10.10.0.13 User-Agent: Microsoft Office Word 16.0 Timestamp: 2025-07-23 19:31:43 ``` 🔐 Mitigation Tips (for Blue Teams) - Block macros by default via Group Policy - Enable Microsoft Defender’s macro scanning - Warn users against opening .docm files from untrusted sources - Monitor outbound HTTP(S) traffic for suspicious callbacks 📚 References - Microsoft Macro Security Documentation - Red Team Tactics: Office Macros 🛡 Legal Notice This PoC is provided for educational and authorized penetration testing only. The authors take no responsibility for misuse. Use it only in compliance with local laws and organizational policy. # Video: [href](https://www.youtube.com/watch?v=H7sVxi4jH0A) # Source: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-49702) # Buy me a coffee if you are not ashamed: [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY) # Source download [href](https://nu11secur1ty.github.io/DownGit/#/home?url=https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-49702) # Time spent: 03:35:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>