CVE-2025-47176: Microsoft 365 Apps RCE Vulnerability

CVE-2025-47176 Overview

CVE-2025-47176 is a path traversal vulnerability in Microsoft Office Outlook that allows an authorized local attacker to execute arbitrary code. The flaw stems from improper handling of .../...// sequences, enabling attackers to escape intended directory boundaries during file resolution. Microsoft published the advisory on June 10, 2025, classifying the issue under CWE-22 (Path Traversal) and CWE-35 (Path Traversal: '.../...//'). Successful exploitation results in full compromise of confidentiality, integrity, and availability on the affected host.

Critical Impact

An authenticated local attacker can execute arbitrary code in the context of the Outlook process, leading to full host compromise.

Affected Products

• Microsoft 365 Apps Enterprise (x64 and x86)
• Microsoft Office Long Term Servicing Channel 2024 (x64 and x86)
• Microsoft Office Outlook (component shipped within the above products)

Discovery Timeline

• 2025-06-10 - CVE-2025-47176 published to NVD
• 2026-02-13 - Last updated in NVD database

Technical Details for CVE-2025-47176

Vulnerability Analysis

The vulnerability is a path traversal weakness rooted in how Microsoft Office Outlook normalizes filesystem paths. The advisory specifically calls out the .../...// traversal pattern, indicating that Outlook's path-canonicalization logic fails to collapse this sequence into a parent-directory reference. As a result, attacker-controlled input bypasses directory restrictions and resolves to locations outside the intended scope.

An attacker who can place or influence file paths processed by Outlook can redirect file operations to arbitrary directories. When combined with Outlook's loading of code modules or auxiliary files from those resolved paths, the traversal becomes a code execution primitive. The EPSS score is 1.159% (78.8 percentile), reflecting elevated exploitation interest relative to typical Office vulnerabilities.

Root Cause

The defect lies in canonicalization logic that strips ../ but does not correctly handle the malformed .../...// variant. Parsers that perform a single normalization pass leave residual traversal characters, which are then interpreted by the underlying Windows file APIs as parent directory references. This class of bug is tracked as CWE-35.

Attack Vector

Exploitation requires local access and low privileges. The attacker delivers a crafted file or message that Outlook processes, causing the path-resolution routine to write or load content from an attacker-chosen location. No user interaction is required once the malicious content reaches Outlook's processing pipeline. The attack vector is local with low attack complexity, and the scope is unchanged.

Because no public proof-of-concept code is available, the exploitation mechanism is described in prose only. Refer to the Microsoft Security Update CVE-2025-47176 advisory for vendor-specific technical context.

Detection Methods for CVE-2025-47176

Indicators of Compromise

• Files written by outlook.exe to directories outside %LOCALAPPDATA%\Microsoft\Outlook or other expected working paths.
• Presence of files or directory names containing the literal traversal sequence .../...// in mail attachments, message stores, or temp paths.
• Unexpected DLL or executable modules loaded by outlook.exe from user-writable locations.

Detection Strategies

• Monitor process-image and module-load events from outlook.exe for paths resolving outside expected Office install and profile directories.
• Build endpoint identification rules that flag filesystem operations containing .../, ...//, or other malformed traversal tokens within Office-related processes.
• Correlate Outlook child-process creation with anomalous file writes performed milliseconds beforehand, a common pattern for traversal-to-execution chains.

Monitoring Recommendations

• Enable Microsoft Defender Attack Surface Reduction rules that block Office applications from creating child processes and from writing executable content.
• Forward Sysmon Event IDs 1 (process create), 7 (image load), and 11 (file create) for Outlook to a centralized SIEM and alert on writes outside known-good paths.
• Review mailbox transport logs for messages carrying attachments with unusual path metadata or filename structures consistent with traversal payloads.

How to Mitigate CVE-2025-47176

Immediate Actions Required

• Apply the June 2025 Microsoft security update for Microsoft 365 Apps and Office LTSC 2024 referenced in the Microsoft advisory.
• Inventory endpoints running affected Office builds and prioritize patching workstations used to process untrusted external mail.
• Validate that Office update channels (Current, Monthly Enterprise, Semi-Annual) have received the fixed build and that clients have restarted Outlook.

Patch Information

Microsoft addressed the vulnerability through the standard Office update channels. Administrators should consult the Microsoft Security Update CVE-2025-47176 page for the specific build numbers corresponding to Microsoft 365 Apps Enterprise and Office LTSC 2024 (x86 and x64).

Workarounds

• Restrict local user privileges so that compromise of Outlook does not yield additional lateral movement capability.
• Block executable and script attachments at the mail gateway to reduce the likelihood of malicious content reaching Outlook's processing pipeline.
• Enable Protected View and Office Attack Surface Reduction rules to limit Outlook's ability to launch child processes or write executable files.

# Verify installed Microsoft 365 Apps build on Windows
reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /v VersionToReport

# Force an Office update check
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /update user