A high-impact zero-day vulnerability targeting Microsoft Office and Windows systems, which reportedly includes a remote code execution (RCE) exploit coupled with a sandbox escape, has been put up for sale by a threat actor known as Zeroplayer. Advertised on a prominent Russian-language hacking forum for $30,000, the exploit is claimed to function across most Office file formats, including the latest versions, and can compromise fully patched Windows installations. The development is concerning for the cybersecurity community because it offers a mechanism for attackers to bypass Microsoft’s robust sandbox protections—a critical feature designed to isolate potentially harmful code—and execute arbitrary code with minimal user interaction, delivering payloads through malicious Office documents.
This vulnerability is particularly dangerous due to its sandbox escape component. The seller claims the exploit chain allows remote attackers to neutralize the Office sandbox, a primary defense against macro-based attacks, and achieve full system compromise on Windows. Delivery methods involve embedding the exploit in common file types like Word or Excel documents, which could be distributed efficiently via phishing emails or compromised websites. Zeroplayer’s history in the exploit market, including the prior sale of a WinRAR zero-day RCE, underscores a pattern of targeting widely used productivity software, highlighting the lucrative underground economy where such unpatched exploits fetch premium prices.
The sale comes shortly after Microsoft’s November 2025 Patch Tuesday, which addressed several critical RCE flaws in Office, such as a use-after-free vulnerability, CVE-2025-62199. However, this patch focused on known issues and did not reference the alleged zero-day. This suggests the newly listed exploit remains unpatched, making it potentially more dangerous as it includes the ability to bypass the Office sandbox. Experts note that Russian-language forums often act as key hubs for both opportunistic and state-affiliated threat actors, who could weaponize such an exploit for ransomware operations, espionage, or large-scale data theft, similar to previous incidents involving Office RCEs used against Western targets.
The potential fallout from this unpatched flaw is significant, especially for enterprises that rely heavily on Microsoft 365, given Office’s massive global user base of over 1.4 billion devices. Attackers could leverage the zero-day to conduct sophisticated targeted intrusions, compromise supply chains, and evade sophisticated endpoint detection response systems. Unpatched systems face a heightened risk of infection through spear-phishing campaigns designed to trick users into opening malicious files. The ability to escape the sandbox nullifies a core security feature and permits malware to spread laterally across networks with greater ease.
To mitigate this elevated risk, organizations are strongly advised to prioritize defensive measures immediately. This includes strictly enforcing policies that disable macros in Office documents and enabling Protected View for all external and untrusted files. Deploying advanced threat protection tools is also recommended to spot novel attack patterns. The cybersecurity community and organizations are monitoring for anomalous forum activity and should prepare to urgently apply any upcoming patches, as Microsoft may accelerate a fix if concrete evidence of active exploitation of this alleged zero-day emerges.
Reference:
