cbcvebase.
CVE-2025-47176
published 2025-06-10

CVE-2025-47176: '.../...//' in Microsoft Office Outlook allows an authorized attacker to execute code locally.

PriorityP179high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.65%
46.4th percentile
'.../...//' in Microsoft Office Outlook allows an authorized attacker to execute code locally.

Affected

7 ranges
VendorProductVersion rangeFixed in
microsoftmicrosoft_365_apps_for_enterprise>= 16.0.1 < https://aka.ms/OfficeSecurityReleaseshttps://aka.ms/OfficeSecurityReleases
microsoftmicrosoft_office_ltsc_2024>= 16.0.0 < https://aka.ms/OfficeSecurityReleaseshttps://aka.ms/OfficeSecurityReleases
microsoftoffice_long_term_servicing_channel
msrcmicrosoft_365_apps_for_enterprise_for_32-bit_systems
msrcmicrosoft_365_apps_for_enterprise_for_64-bit_systems
msrcmicrosoft_office_ltsc_2024_for_32-bit_editions
msrcmicrosoft_office_ltsc_2024_for_64-bit_editions

Detection & IOCsextracted from sources · hover to see the quote

filenamemalicious.prf
command& "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE" /importprf malicious.prf
urlhttps://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47176
  • Detect path traversal patterns using the '.../...//' double-dot-slash obfuscation sequence in Outlook sync path or mail item metadata, which is the core trigger for this vulnerability.
  • Alert on OUTLOOK.EXE spawning shutdown.exe or cmd.exe with shutdown arguments, as the PoC payload triggers 'shutdown /r /t 5' upon successful exploitation.
  • The exploit injects a crafted mail item with a malicious sync path into Inbox and Drafts folders; monitor for anomalous programmatic COM/pywin32 access to Outlook mail stores.
  • The Preview Pane is NOT an attack vector; focus detection on local execution contexts (authenticated local attacker, low privileges required).
  • ·The vulnerability requires local execution by an authenticated (low-privilege) user; it is NOT remotely exploitable over the network despite the 'RCE' label.
  • ·Security updates for Microsoft 365 / Click-to-Run were not immediately available at time of disclosure; patch availability should be verified before assuming coverage.
  • ·Exploit status at time of disclosure was 'Publicly Disclosed: No; Exploited: No; Exploitation Unlikely', but a public PoC now exists on Exploit-DB.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
vendor_msrc7.8HIGH
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.