Threat Actors Allegedly Selling Microsoft Office 0-Day RCE Vulnerability on Hacking Forums

A threat actor known as Zeroplayer has reportedly listed a zero-day remote code execution (RCE) vulnerability, combined with a sandbox escape, targeting Microsoft Office and Windows systems for sale on underground hacking forums.

Priced at $30,000, the exploit purportedly works on most Office file formats, including the latest versions, and affects fully patched Windows installations.

This development raises alarms in the cybersecurity community, as it could enable attackers to bypass Microsoft’s robust sandbox protections and execute arbitrary code with minimal user interaction.

The advertisement, posted in Russian on a prominent hacking forum, describes the vulnerability as a high-impact 0-day capable of delivering payloads through malicious Office documents.

Zeroplayer claims the exploit chain allows remote attackers to escape the Office sandbox a critical security feature designed to isolate potentially harmful code—and achieve full system compromise on Windows.

Delivery methods involve embedding the exploit in common file types like Word or Excel documents, which could be distributed via phishing emails or compromised websites.

Details of the Hacker Forum Listing

The seller invites private messages for demonstrations and proof-of-concept details, emphasizing compatibility with recent updates to mitigate detection by antivirus tools.

This isn’t Zeroplayer’s first foray into the exploit market; the actor previously offered a WinRAR zero-day RCE for $80,000 in July 2025, highlighting a pattern of targeting widely used productivity and archiving software.

Such sales underscore the lucrative underground economy for zero-days, where exploits fetch premium prices before public disclosure or patching.​

Microsoft’s November 2025 Patch Tuesday addressed multiple critical RCE flaws in Office, including CVE-2025-62199, a use-after-free vulnerability exploitable via malicious documents.

However, that patch focused on known issues and did not reference this alleged 0-day, suggesting it remains unpatched and potentially more dangerous due to its sandbox escape component.

Sandbox escapes are particularly concerning, as they neutralize one of Office’s primary defenses against macro-based attacks, allowing malware to spread laterally across networks.​

Experts note that Russian-language forums like the one hosting this listing often serve as hubs for state-affiliated or opportunistic threat actors, who may weaponize such exploits for ransomware, espionage, or data theft.

Similar past incidents, such as the 2023 exploitation of CVE-2023-36884 by the Russian group Storm-0978, involved Office RCE for backdoor deployment against Western targets.​

The potential fallout from this 0-day is significant, especially for enterprises reliant on Microsoft 365. Attackers could leverage it to compromise supply chains or conduct targeted intrusions, evading endpoint detection responses.

Given Office’s ubiquity across over 1.4 billion devices globally, unpatched systems face a heightened risk of infection through spear-phishing.​

Organizations should prioritize macro disabling in Office policies, enable Protected View for all documents, and deploy advanced threat protection tools.

Monitoring for anomalous forum activity and applying upcoming patches urgently is advised, as Microsoft may accelerate fixes if exploitation evidence emerges.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.