Microsoft 365 PDF Export Feature Vulnerability: Critical Flaw Patched

A critical security vulnerability was recently discovered and patched in the widely used Microsoft 365 PDF export feature. The flaw, classified as a Local File Inclusion (LFI) vulnerability, allowed attackers to access sensitive files stored on Microsoft 365 servers during the document-to-PDF conversion process. As noted by GBHackers, Microsoft has since released a security update to address the issue, urging all users and administrators to apply the latest patches to protect their environments.

What Was the Microsoft 365 PDF Export Feature Vulnerability?

The vulnerability existed in the Microsoft 365 “Export to PDF” feature, which enables users to convert documents into PDF format directly from Word, Excel, PowerPoint, and SharePoint Online. Security researchers found that by crafting malicious HTML content and leveraging certain tags (such as ,, and “), an attacker could trick the export process into including arbitrary files from the server’s file system in the resulting PDF. This type of attack is known as Local File Inclusion (LFI).

How the Exploit Worked

Attackers would upload or inject specially crafted HTML files into Microsoft 365. During the PDF conversion, the malicious HTML would reference local system files (e.g., web.config, win.ini). The PDF export process would then embed the contents of these files into the generated PDF, which the attacker could download. In some scenarios, this could have led to exposure of sensitive configuration data, credentials, or even cross-tenant data in multi-tenant environments.

What Data Was at Risk?

The LFI flaw could have exposed:

• Configuration files containing sensitive settings and credentials.
• Internal application source code or secrets.
• Potentially, information from other tenants in shared environments, depending on the server’s configuration and file access permissions.

While there is no evidence that this vulnerability was actively exploited in the wild, the risk of sensitive data exposure was significant, especially for organizations relying on Microsoft 365 for business-critical operations.

Microsoft’s Response and Patch Details

Microsoft acted quickly upon disclosure of the vulnerability, releasing a security patch as part of its July 2025 Patch Tuesday update cycle. The update addresses the underlying issue in the PDF export mechanism, ensuring that only intended files are included in exported documents and blocking attempts to access server-side files through HTML manipulation.

Administrators and users are strongly advised to:

• Apply the latest Microsoft 365 updates immediately.
• Review audit logs for suspicious PDF export activity.
• Educate users about the risks of uploading or opening untrusted documents.

Security Community and Researcher Involvement

The vulnerability was initially discovered by a security researcher during a client assessment. After confirming that the issue was rooted in Microsoft’s official API, the researcher reported the bug to Microsoft’s Security Response Center (MSRC), which classified it as “Important” and awarded a bug bounty for the finding.

This incident is part of a broader trend: Microsoft’s July 2025 Patch Tuesday included fixes for over 130 vulnerabilities, 14 of which were rated critical. The company’s rapid response to this LFI issue underscores the importance of timely patch management and the value of coordinated vulnerability disclosure.

Best Practices for Microsoft 365 Security

To protect your organization from similar threats:

• Enable automatic updates for all Microsoft 365 apps and services.
• Monitor security advisories and Patch Tuesday releases.
• Educate users about document security and phishing risks.
• Restrict permissions for uploading and sharing files, especially HTML content.
• Regularly audit exported documents and access logs for anomalies.

The discovery and remediation of the PDF export LFI vulnerability in Microsoft 365 highlight the ongoing need for vigilance in cloud productivity environments. Organizations should act promptly to apply the latest updates and review their security postures to prevent sensitive data exposure.

Related Posts

1. Microsoft Shuts Down Operations in Pakistan Suddenly After 25 Years Amid Global Restructuring
2. Microsoft 365 Roadmap: 16 Powerful New Features Announced for SharePoint, Teams, Copilot, and More
3. Microsoft Expands Free Windows 11 Upgrade to 150 Million More Users—What You Need to Know
4. Microsoft July 1, 2025: New Retirements, Major Changes, and End-of-Support Headaches Loom for Users
5. Microsoft Elevates Naim Yazbeck to MEA President, Appoints Amr Kamel as UAE General Manager in Remarkable 2-Leader Promotion