The Problems of Embedded Python in Excel, or How to Excel in Pwning Pandas
Black Hat Asia 2025 · Day 2 · Briefings
Shalom Carmel’s presentation, "The Problems of Embedded Python in Excel, or How to Excel in Pwning Pandas," delves into the unexpected security implications of Microsoft’s recent integration of Python into Excel for Office 365 users. Introduced approximately a year and a half prior to the talk, this feature allows users to embed Python code directly within Excel spreadsheets, with execution handled remotely on Microsoft's Azure infrastructure. While designed to empower data analysts with advanced capabilities beyond VBA, Carmel's research, conducted with his son, uncovered several critical vulnerabilities and design choices that could be exploited for remote code execution (RCE) and potentially impact the confidentiality and integrity of user data.
AI review
Shalom Carmel’s research on Python in Excel is a critical deep-dive into the security implications of Microsoft's new cloud-backed execution environment. He meticulously uncovered several significant vulnerabilities, including a user-writable remote file system, arbitrary Linux shell command execution via Jupyter magic commands, and a multi-stage technique for uploading and executing custom binaries. His findings demonstrated how this ubiquitous productivity tool has inadvertently become a potent remote code execution platform, exposing enterprises to novel attack vectors and underscoring…