Microsoft Outlook Remote Code Execution Vulnerability - ACE

2025.07.07
bg nu11secur1ty (BG) bg
Risk: High
Local: No
Remote: Yes
CVE: CVE-2025-47176
CWE: N/A

# Titles: Microsoft Outlook Remote Code Execution Vulnerability - ACE # Author: nu11secur1ty # Date: 07/06/2025 # Vendor: Microsoft # Software: https://www.microsoft.com/en-us/microsoft-365/outlook/log-in # Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47176 > https://www.cloudflare.com/learning/security/what-is-remote-code-execution/ # CVE-2025-47176 ## Description This proof-of-concept (PoC) demonstrates the CVE-2025-47176 vulnerability simulation. It injects a crafted mail item into Outlook containing a malicious sync path that triggers an action during scanning. **IMPORTANT:** This PoC simulates the vulnerable Outlook path parsing and triggers a **system restart** when the malicious path is detected. --- ## Additional Testing with malicious.prf You can also test this PoC by importing a crafted Outlook Profile File (`malicious.prf`): 1. Place `malicious.prf` in the same folder as `PoC.py`. 2. Run Outlook with the import command: ```powershell & "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE" /importprf malicious.prf ## Usage 1. Ensure you have Outlook installed and configured on your Windows machine. 2. Run the PoC script with Python 3.x (requires `pywin32` package): ```powershell pip install pywin32 python PoC.py ``` 3. The script will: - Inject a mail item with the malicious sync path. - Wait 10 seconds for Outlook to process the mail. - Scan Inbox and Drafts folders. - Upon detection, normalize the path and trigger a system restart (`shutdown /r /t 5`). --- ## Warning - This script **will restart your computer** after 5 seconds once the payload is triggered. - Save all work before running. - Test only in a controlled or virtualized environment. - Do **NOT** run on production or important systems. --- ## Files - `PoC.py` - The Python proof-of-concept script. - `README.md` - This file. --- ## License This PoC is provided for educational and research purposes only. Use responsibly and ethically. # Reproduce: [href](https://www.youtube.com/watch?v=yOra0pm8CHg) # Source: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47176) # Buy me a coffee if you are not ashamed: [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY) # Time spent: 03:35:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2025, cxsecurity.com

 

Back to Top