CVE-2025-47176

HIGH EXPLOITED

Microsoft 365 Apps and Office LTSC - Path Traversal and Local Code Execution via Outlook Path Handling

Title source: llm

Exploitation Summary

CVE-2025-47176 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including mahyarx.

AI-analyzed exploit summary This PoC demonstrates CVE-2025-47176 by injecting a malicious email into Outlook with a crafted sync path. When the trigger link is clicked, it simulates vulnerable path parsing and executes a system restart command.

Description

'.../...//' in Microsoft Office Outlook allows an authorized attacker to execute code locally.

Exploits (1)

nomisec WORKING POC 1 stars

by mahyarx · client-side

https://github.com/mahyarx/CVE-2025-47176

View Code ZIP pw:eip

This PoC demonstrates CVE-2025-47176 by injecting a malicious email into Outlook with a crafted sync path. When the trigger link is clicked, it simulates vulnerable path parsing and executes a system restart command.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Outlook

No auth needed

Prerequisites: Outlook installed and configured · Python 3.x with pywin32 package

MITRE ATT&CK

T1204 - User Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47176

Scores

CVSS v3 7.8

EPSS 0.0115

EPSS Percentile 79.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

VulnCheck KEV 2025-06-16

CWE

CWE-22 CWE-35

Status published

Products (2)

microsoft/365_apps (2 CPE variants)

microsoft/office_long_term_servicing_channel 2024 (2 CPE variants)

Published Jun 10, 2025

Tracked Since Feb 18, 2026