EUVD-2025-17726CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
Improper input validation in Microsoft Office allows an unauthorized attacker to execute code locally.
Analysis
CVE-2025-47173 is an improper input validation vulnerability in Microsoft Office that allows local code execution without requiring user privileges, though user interaction is needed. An attacker with local access can craft a malicious Office document that, when opened by a user, executes arbitrary code with the privileges of the affected Office application. This vulnerability affects Microsoft Office products across multiple versions and poses a moderate-to-high risk given its local attack vector and high impact on confidentiality, integrity, and availability.
Technical Context
This vulnerability stems from CWE-641 (Improper Restriction of Rendered UI Layers or Frames), which indicates the root cause involves inadequate validation of input data in Office document parsing or rendering. The weakness likely exists in the Office document format handlers (such as OOXML parsing libraries) that process user-supplied content without sufficient sanitization. When a specially crafted Office file (DOCX, XLSX, PPTX, etc.) is opened, the improper input validation fails to restrict embedded objects, macros, or executable content, allowing code execution within the Office application's security context. The vulnerability requires user interaction (UI:R) to trigger, meaning the user must open the malicious document, but does not require any special privileges (PR:N) to exploit.
Affected Products
Microsoft Office suite, including but not limited to: Microsoft Word, Microsoft Excel, Microsoft PowerPoint, and Microsoft Office 365. Affected versions likely include Microsoft Office 2019, Microsoft Office 2021, and Microsoft 365 subscription versions (Consumer and Enterprise). The vulnerability affects the core Office application runtime and document parsing libraries used across all Windows-based Office installations. Specific CPE identifiers would include patterns such as 'cpe:2.3:a:microsoft:office:*', 'cpe:2.3:a:microsoft:word:*', 'cpe:2.3:a:microsoft:excel:*', and 'cpe:2.3:a:microsoft:powerpoint:*' across affected version ranges. End-of-support versions (Office 2016 and earlier) may not receive patches. Microsoft 365 subscribers on monthly update channels should receive patches automatically; users on deferred channels or on-premises installations must apply security updates manually.
Remediation
Immediate actions: (1) Apply the latest security updates from Microsoft for all Office applications—check Windows Update or Microsoft 365 admin center for available patches. (2) For Office 2019 and earlier on-premises installations, download and install the cumulative security update from Microsoft's Security Update Guide (portal.msrc.microsoft.com). (3) Enable Protected View in Microsoft Office—this sandboxes potentially dangerous documents opened from the internet or email, preventing code execution even if the document is malicious. (4) Mitigate without patching by disabling macros in Office Trust Center settings and educating users not to enable content in suspicious documents. (5) Use email gateway controls to block or sandbox Office documents from external sources. (6) Consider disabling VBA and scripting in Office group policies if not required for business operations. (7) Monitor for suspicious Office process behavior using EDR (Endpoint Detection & Response) tools. Patch timelines should prioritize systems in high-risk roles (executives, developers, finance) and those with Internet-facing document handling.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today