Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Microsoft Office app Remote Code Execution Vulnerability
AnalysisAI
Microsoft Office app Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
Affected products include: Microsoft 365 Copilot.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in 365 Copilot
View allCVE-2025-32711 is an AI command injection vulnerability in Microsoft 365 Copilot that enables unauthenticated network-ba
M365 Copilot has an input validation vulnerability allowing unauthorized attackers to extract sensitive information thro
Privilege elevation in Microsoft 365 Copilot's Business Chat is possible when an attacker abuses an open redirect (CWE-6
Local code execution in Microsoft Office is possible via a heap-based buffer overflow that an unauthorized attacker can
Local code execution in Microsoft Office is possible through a heap-based buffer overflow that an unauthorized attacker
Local code execution in Microsoft Office via a heap-based buffer overflow allows an unauthorized attacker to run arbitra
Local code execution in Microsoft Office via a heap-based buffer overflow that lets an unauthorized attacker run arbitra
Command injection in Microsoft 365 Copilot lets a remote, unauthenticated attacker tamper with data and integrity over t
M365 Copilot is vulnerable to command injection that enables unauthenticated remote attackers to extract sensitive infor
Out-of-bounds read (buffer over-read) in Microsoft Office exposes sensitive memory contents to a local attacker who can
Share
External POC / Exploit Code
Leaving vuln.today