CVE-2025-47176
published 2025-06-10CVE-2025-47176: '.../...//' in Microsoft Office Outlook allows an authorized attacker to execute code locally.
PriorityP179high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.65%
46.4th percentile
'.../...//' in Microsoft Office Outlook allows an authorized attacker to execute code locally.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_365_apps_for_enterprise | >= 16.0.1 < https://aka.ms/OfficeSecurityReleases | https://aka.ms/OfficeSecurityReleases |
| microsoft | microsoft_office_ltsc_2024 | >= 16.0.0 < https://aka.ms/OfficeSecurityReleases | https://aka.ms/OfficeSecurityReleases |
| microsoft | office_long_term_servicing_channel | — | — |
| msrc | microsoft_365_apps_for_enterprise_for_32-bit_systems | — | — |
| msrc | microsoft_365_apps_for_enterprise_for_64-bit_systems | — | — |
| msrc | microsoft_office_ltsc_2024_for_32-bit_editions | — | — |
| msrc | microsoft_office_ltsc_2024_for_64-bit_editions | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect path traversal patterns using the '.../...//' double-dot-slash obfuscation sequence in Outlook sync path or mail item metadata, which is the core trigger for this vulnerability. ↗
- →Alert on OUTLOOK.EXE spawning shutdown.exe or cmd.exe with shutdown arguments, as the PoC payload triggers 'shutdown /r /t 5' upon successful exploitation. ↗
- →The exploit injects a crafted mail item with a malicious sync path into Inbox and Drafts folders; monitor for anomalous programmatic COM/pywin32 access to Outlook mail stores. ↗
- →The Preview Pane is NOT an attack vector; focus detection on local execution contexts (authenticated local attacker, low privileges required). ↗
- ·The vulnerability requires local execution by an authenticated (low-privilege) user; it is NOT remotely exploitable over the network despite the 'RCE' label. ↗
- ·Security updates for Microsoft 365 / Click-to-Run were not immediately available at time of disclosure; patch availability should be verified before assuming coverage. ↗
- ·Exploit status at time of disclosure was 'Publicly Disclosed: No; Exploited: No; Exploitation Unlikely', but a public PoC now exists on Exploit-DB. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
vendor_msrc7.8HIGH
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7v3j-qcv2-4wc4: '
ghsa_unreviewed·2025-06-10
CVE-2025-47176 [HIGH] CWE-22 GHSA-7v3j-qcv2-4wc4: '
'.../...//' in Microsoft Office Outlook allows an authorized attacker to execute code locally.
VulnCheck
Microsoft Office Path Traversal: '.../...//'
vulncheck·2025·CVSS 7.8
CVE-2025-47176 [HIGH] Microsoft Office Path Traversal: '.../...//'
Microsoft Office Path Traversal: '.../...//'
'.../...//' in Microsoft Office Outlook allows an authorized attacker to execute code locally.
Affected: Microsoft Office
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://falconfeeds.io/blogs/unmasking-handala-iran-cyber-threat-psyops
Exploit PoC: https://vulncheck.com/xdb/d109b6df9bc4
Red Hat
cups: Null Pointer Dereference in CUPS ipp_read_io() Leading to Remote DoS
vendor_redhat·2025-09-11·CVSS 5.3
CVE-2025-58364 [MEDIUM] CWE-476 cups: Null Pointer Dereference in CUPS ipp_read_io() Leading to Remote DoS
cups: Null Pointer Dereference in CUPS ipp_read_io() Leading to Remote DoS
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.12 and earlier, an unsafe deserialization and validation of printer attributes causes null dereference in the libcups library. This is a remote DoS vulnerability available in local subnet in default configurations. It can cause the cups & cups-browsed to crash, on all the machines in local network who are listening for printers (so by default for all regular linux machines). On systems where the vulnerability CVE-2024-47176 (cups-filters 1.x/cups-browsed 2.x vulnerability) was not fixed, and the firewall on the machine does not reject incoming communication to IPP port, and the machine is set to be a
Microsoft
Microsoft Outlook Remote Code Execution Vulnerability
vendor_msrc·2025-06-10·CVSS 7.8
CVE-2025-47176 [HIGH] CWE-35 Microsoft Outlook Remote Code Execution Vulnerability
Microsoft Outlook Remote Code Execution Vulnerability
Description: '.../...//' in Microsoft Office Outlook allows an authorized attacker to execute code locally.
FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?
The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.
FAQ: According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?
Any authenticated attacker could trigger this vulnerability. It does not require
No detection rules found.
2025-06-10
Published
Exploited in the wild