Skip to main content

Microsoft Office CVE-2025-62554

HIGH
Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)
2025-12-09 secure@microsoft.com
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 22, 2026 - 16:30 vuln.today

DescriptionCVE.org

Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.

AnalysisAI

Local code execution in Microsoft Office (365 Apps, Office 2016/2019, Office LTSC 2021, and Office for Android/macOS) stems from a type confusion flaw (CWE-843) that lets an attacker run arbitrary code in the context of the current user. Despite PR:N/UI:N in the CVSS vector, the AV:L attack vector means the attacker must deliver a malicious document to be opened on the target host. No public exploit has been identified at time of analysis and the CVE is not on the CISA KEV list.

Technical ContextAI

The root cause is CWE-843 (Access of Resource Using Incompatible Type - 'Type Confusion'), in which Office code casts an object to an incompatible type without proper validation, causing the program to interpret memory layout incorrectly. This commonly arises in Office's document parsers (Word, Excel, PowerPoint) when handling embedded objects, OLE structures, or scripting objects, and the resulting memory mismatch can be steered into a controlled write or vtable corruption that yields arbitrary code execution. The affected CPE set spans Microsoft 365 Apps (Enterprise x86/x64), Office 2016 and 2019 (x86/x64), Office LTSC 2021 (x86/x64 and macOS), and Office for Android, indicating the vulnerable component is in shared Office code rather than a single application.

RemediationAI

Apply the Microsoft security update referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62554 - patch available per vendor advisory; exact fix build numbers are channel-specific and listed in that advisory for 365 Apps, Office 2016, Office 2019, Office LTSC 2021 (Windows and macOS), and Office for Android. As compensating controls while patching, enable Protected View and Application Guard for Office so untrusted documents open in an isolated container (trade-off: macros and some embedded content are restricted), block Office documents originating from email or the internet via Attack Surface Reduction rule 'Block Office applications from creating executable content', and use Mark-of-the-Web enforcement so files from external sources are forced into Protected View. Where feasible, restrict opening of Office documents from untrusted senders via mail-gateway filtering of risky file types (trade-off: business users may need exception workflows).

CVE-2026-21509 HIGH
7.8 Jan 26

Microsoft Office contains a security feature bypass (CVE-2026-21509, CVSS 7.8) where reliance on untrusted inputs in sec

CVE-2026-21514 HIGH
7.8 Feb 10

Microsoft Office Word contains a security decision bypass (CVE-2026-21514, CVSS 7.8) through reliance on untrusted input

CVE-2024-21413 CRITICAL POC
9.8 Feb 13

Microsoft Outlook Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2025-47957 HIGH POC
8.4 Jun 10

Use-after-free vulnerability in Microsoft Office Word that allows local, unauthenticated attackers to execute arbitrary

CVE-2022-41106 HIGH
8.8 Nov 09

Microsoft Excel Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely expl

CVE-2023-33148 HIGH POC
7.8 Jul 11

Microsoft Office Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack

CVE-2025-27751 HIGH POC
7.8 Apr 08

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (C

CVE-2025-47165 HIGH POC
7.8 Jun 10

Use-after-free vulnerability in Microsoft Office Excel that allows local code execution with high severity (CVSS 7.8). A

CVE-2025-47175 HIGH POC
7.8 Jun 10

Use-after-free vulnerability in Microsoft Office PowerPoint that allows an unauthenticated local attacker to execute arb

CVE-2023-36041 HIGH POC
7.8 Nov 14

Microsoft Excel Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentica

CVE-2023-28311 HIGH POC
7.8 Apr 11

Microsoft Word Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authenticat

CVE-2023-28285 HIGH POC
7.8 Apr 11

Microsoft Office Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentic

Share

CVE-2025-62554 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy