CVE-2025-47165

HIGH EXPLOITED

Microsoft 365 Apps and Excel - Use-After-Free

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-47165 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including nu11secur1ty.

AI-analyzed exploit summary This exploit generates a malicious DOCM file with a VBA macro that leverages a use-after-free vulnerability in Microsoft Excel 2024 to achieve remote code execution. It also sets up an HTTP server to serve the malicious file.

Description

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Exploits (1)

exploitdb WORKING POC
by nu11secur1ty · pythonremotewindows
https://www.exploit-db.com/exploits/52343

This exploit generates a malicious DOCM file with a VBA macro that leverages a use-after-free vulnerability in Microsoft Excel 2024 to achieve remote code execution. It also sets up an HTTP server to serve the malicious file.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Excel 2024, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise
No auth needed
Prerequisites: Microsoft Word installed on Windows · Victim to open the malicious DOCM file · Macros enabled in the victim's Office settings
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 7.8
EPSS 0.0101
EPSS Percentile 77.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

VulnCheck KEV 2025-09-03
CWE
CWE-416
Status published
Products (6)
microsoft/365_apps
microsoft/excel 2016
microsoft/office 2019
microsoft/office_long_term_servicing_channel 2021 (2 CPE variants)
microsoft/office_long_term_servicing_channel 2024 (2 CPE variants)
microsoft/office_online_server < 16.0.10417.20018
Published Jun 10, 2025
Tracked Since Feb 18, 2026