Microsoft Outlook - Remote Code Execution (RCE)

# Titles: Microsoft Outlook - Remote Code Execution (RCE)
# Author: nu11secur1ty
# Date: 07/06/2025
# Vendor: Microsoft
# Software: https://www.microsoft.com/en-us/microsoft-365/outlook/log-in
# Reference:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47176 >
https://www.cloudflare.com/learning/security/what-is-remote-code-execution/
# CVE-2025-47176

## Description
This proof-of-concept (PoC) demonstrates the CVE-2025-47176 vulnerability
simulation. It injects a crafted mail item into Outlook containing a
malicious sync path that triggers an action during scanning.

**IMPORTANT:**
This PoC simulates the vulnerable Outlook path parsing and triggers a
**system restart** when the malicious path is detected.

---
## Additional Testing with malicious.prf

You can also test this PoC by importing a crafted Outlook Profile File
(`malicious.prf`):

1. Place `malicious.prf` in the same folder as `PoC.py`.
2. Run Outlook with the import command:

   ```powershell
   & "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE"
/importprf malicious.prf


## Usage

1. Ensure you have Outlook installed and configured on your Windows machine.
2. Run the PoC script with Python 3.x (requires `pywin32` package):
   ```powershell
   pip install pywin32
   python PoC.py
   ```
3. The script will:
   - Inject a mail item with the malicious sync path.
   - Wait 10 seconds for Outlook to process the mail.
   - Scan Inbox and Drafts folders.
   - Upon detection, normalize the path and trigger a system restart
(`shutdown /r /t 5`).

---

## Warning

- This script **will restart your computer** after 5 seconds once the
payload is triggered.
- Save all work before running.
- Test only in a controlled or virtualized environment.
- Do **NOT** run on production or important systems.

---

## Files

- `PoC.py` - The Python proof-of-concept script.
- `README.md` - This file.

---

## License

This PoC is provided for educational and research purposes only.

Use responsibly and ethically.


# Video:
[href](https://www.youtube.com/watch?v=nac3kUe_d1c)

# Source:
[href](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47176)

# Buy me a coffee if you are not ashamed:
[href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)

# Time spent:
03:35:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>


На нд, 6.07.2025�6�2г. в 10:34 nu11 secur1ty <nu11secur1typentest@gmail.com>
написа:

> # Titles: Microsoft Outlook Remote Code Execution Vulnerability - ACE
> # Author: nu11secur1ty
> # Date: 07/06/2025
> # Vendor: Microsoft
> # Software: https://www.microsoft.com/en-us/microsoft-365/outlook/log-in
> # Reference:
> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47176 >
> https://www.cloudflare.com/learning/security/what-is-remote-code-execution/
> # CVE-2025-47176
>
> ## Description
> This proof-of-concept (PoC) demonstrates the CVE-2025-47176 vulnerability
> simulation. It injects a crafted mail item into Outlook containing a
> malicious sync path that triggers an action during scanning.
>
> **IMPORTANT:**
> This PoC simulates the vulnerable Outlook path parsing and triggers a
> **system restart** when the malicious path is detected.
>
> ---
> ## Additional Testing with malicious.prf
>
> You can also test this PoC by importing a crafted Outlook Profile File
> (`malicious.prf`):
>
> 1. Place `malicious.prf` in the same folder as `PoC.py`.
> 2. Run Outlook with the import command:
>
>    ```powershell
>    & "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE"
> /importprf malicious.prf
>
>
> ## Usage
>
> 1. Ensure you have Outlook installed and configured on your Windows
> machine.
> 2. Run the PoC script with Python 3.x (requires `pywin32` package):
>    ```powershell
>    pip install pywin32
>    python PoC.py
>    ```
> 3. The script will:
>    - Inject a mail item with the malicious sync path.
>    - Wait 10 seconds for Outlook to process the mail.
>    - Scan Inbox and Drafts folders.
>    - Upon detection, normalize the path and trigger a system restart
> (`shutdown /r /t 5`).
>
> ---
>
> ## Warning
>
> - This script **will restart your computer** after 5 seconds once the
> payload is triggered.
> - Save all work before running.
> - Test only in a controlled or virtualized environment.
> - Do **NOT** run on production or important systems.
>
> ---
>
> ## Files
>
> - `PoC.py` - The Python proof-of-concept script.
> - `README.md` - This file.
>
> ---
>
> ## License
>
> This PoC is provided for educational and research purposes only.
>
> Use responsibly and ethically.
>
>
> # Reproduce:
> [href](https://www.youtube.com/watch?v=yOra0pm8CHg)
>
> # Source:
> [href](
> https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47176)
>
> # Buy me a coffee if you are not ashamed:
> [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)
>
> # Time spent:
> 03:35:00
>
>
> --
> System Administrator - Infrastructure Engineer
> Penetration Testing Engineer
> Exploit developer at https://packetstormsecurity.com/
> https://cve.mitre.org/index.html
> https://cxsecurity.com/ and https://www.exploit-db.com/
> 0day Exploit DataBase https://0day.today/
> home page: https://www.nu11secur1ty.com/
> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
>                           nu11secur1ty <http://nu11secur1ty.com/>
>
> На нд, 6.07.2025�6�2г. в 9:53 nu11 secur1ty <nu11secur1typentest@gmail.com>
> написа:
>
>> # Titles: Microsoft Outlook Remote Code Execution Vulnerability - ACE
>> # Author: nu11secur1ty
>> # Date: 07/06/2025
>> # Vendor: Microsoft
>> # Software: https://www.microsoft.com/en-us/microsoft-365/outlook/log-in
>> # Reference:
>> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47176 >
>> https://www.cloudflare.com/learning/security/what-is-remote-code-execution/
>> # CVE-2025-47176
>>
>> ## Description
>> This proof-of-concept (PoC) demonstrates the CVE-2025-47176 vulnerability
>> simulation. It injects a crafted mail item into Outlook containing a
>> malicious sync path that triggers an action during scanning.
>>
>> **IMPORTANT:**
>> This PoC simulates the vulnerable Outlook path parsing and triggers a
>> **system restart** when the malicious path is detected.
>>
>> ---
>> ## Additional Testing with malicious.prf
>>
>> You can also test this PoC by importing a crafted Outlook Profile File
>> (`malicious.prf`):
>>
>> 1. Place `malicious.prf` in the same folder as `PoC.py`.
>> 2. Run Outlook with the import command:
>>
>>    ```powershell
>>    & "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE"
>> /importprf malicious.prf
>>
>>
>> ## Usage
>>
>> 1. Ensure you have Outlook installed and configured on your Windows
>> machine.
>> 2. Run the PoC script with Python 3.x (requires `pywin32` package):
>>    ```powershell
>>    pip install pywin32
>>    python PoC.py
>>    ```
>> 3. The script will:
>>    - Inject a mail item with the malicious sync path.
>>    - Wait 10 seconds for Outlook to process the mail.
>>    - Scan Inbox and Drafts folders.
>>    - Upon detection, normalize the path and trigger a system restart
>> (`shutdown /r /t 5`).
>>
>> ---
>>
>> ## Warning
>>
>> - This script **will restart your computer** after 5 seconds once the
>> payload is triggered.
>> - Save all work before running.
>> - Test only in a controlled or virtualized environment.
>> - Do **NOT** run on production or important systems.
>>
>> ---
>>
>> ## Files
>>
>> - `PoC.py` - The Python proof-of-concept script.
>> - `README.md` - This file.
>>
>> ---
>>
>> ## License
>>
>> This PoC is provided for educational and research purposes only.
>>
>> Use responsibly and ethically.
>>
>>
>> # Reproduce:
>> [href](https://www.youtube.com/watch?v=yOra0pm8CHg)
>>
>> # Buy me a coffee if you are not ashamed:
>> [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)
>>
>> # Time spent:
>> 03:35:00
>>
>>
>> --
>> System Administrator - Infrastructure Engineer
>> Penetration Testing Engineer
>> Exploit developer at https://packetstormsecurity.com/
>> https://cve.mitre.org/index.html
>> https://cxsecurity.com/ and https://www.exploit-db.com/
>> 0day Exploit DataBase https://0day.today/
>> home page: https://www.nu11secur1ty.com/
>> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
>>                           nu11secur1ty <http://nu11secur1ty.com/>
>>
>> --
>>
>> System Administrator - Infrastructure Engineer
>> Penetration Testing Engineer
>> Exploit developer at https://packetstorm.news/
>> https://cve.mitre.org/index.html
>> https://cxsecurity.com/ and https://www.exploit-db.com/
>> 0day Exploit DataBase https://0day.today/
>> home page: https://www.nu11secur1ty.com/
>> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
>>                           nu11secur1ty <http://nu11secur1ty.com/>
>>
>
>
> --
>
> System Administrator - Infrastructure Engineer
> Penetration Testing Engineer
> Exploit developer at https://packetstorm.news/
> https://cve.mitre.org/index.html
> https://cxsecurity.com/ and https://www.exploit-db.com/
> 0day Exploit DataBase https://0day.today/
> home page: https://www.nu11secur1ty.com/
> hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
>                           nu11secur1ty <http://nu11secur1ty.com/>
>


-- 

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>