Microsoft Office
CVE-2025-62557
HIGH
Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
AnalysisAI
Local code execution in Microsoft Office (365 Apps, Office 2016/2019, and Office LTSC 2021 across Windows, macOS, and Android) stems from a use-after-free memory corruption flaw tracked as CVE-2025-62557. An attacker who entices a user to open a crafted document can achieve arbitrary code execution with the privileges of the current user, with no public exploit identified at time of analysis. The CVSS 8.4 rating reflects high impact across confidentiality, integrity, and availability despite the local attack vector.
Technical ContextAI
The vulnerability is a CWE-416 use-after-free condition in Microsoft Office's document parsing or object handling code, where memory is referenced after it has already been freed. Such flaws typically arise when an object's lifetime is mismanaged during complex document rendering (e.g., embedded objects, OLE handling, or specific file format parsers), allowing an attacker to control the freed memory region and hijack execution flow. The CPE data confirms a broad footprint spanning Microsoft 365 Apps Enterprise (x64/x86), Office 2016 and 2019 (x64/x86), Office LTSC 2021 (x64/x86 and macOS), and Office for Android - indicating the vulnerable code path is in cross-platform Office shared components rather than a Windows-specific subsystem.
RemediationAI
Apply the Microsoft security updates referenced in MSRC advisory https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62557 for each affected Office channel - Microsoft 365 Apps updates ship via Click-to-Run, while Office 2016/2019 and LTSC 2021 receive MSI/standalone patches through Microsoft Update or the Download Center, and the macOS LTSC and Android builds update through their respective platform mechanisms; exact patched build numbers are not enumerated in the available data and must be taken from the MSRC entry. Until patches are deployed across all SKUs, compensating controls include disabling the Outlook/Explorer Preview Pane to prevent auto-rendering of untrusted attachments (trade-off: reduced triage efficiency for users), enforcing Protected View and Office File Block policies for documents originating from the internet or email (trade-off: friction for legitimate inbound documents), and using Attack Surface Reduction rules to block Office applications from creating child processes (trade-off: may break legitimate macro-based workflows). No vendor-released patch version is independently confirmed from the supplied data beyond the MSRC advisory reference.
Microsoft Office contains a security feature bypass (CVE-2026-21509, CVSS 7.8) where reliance on untrusted inputs in sec
Microsoft Office Word contains a security decision bypass (CVE-2026-21514, CVSS 7.8) through reliance on untrusted input
Microsoft Outlook Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Use-after-free vulnerability in Microsoft Office Word that allows local, unauthenticated attackers to execute arbitrary
Microsoft Excel Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely expl
Microsoft Office Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (C
Use-after-free vulnerability in Microsoft Office Excel that allows local code execution with high severity (CVSS 7.8). A
Use-after-free vulnerability in Microsoft Office PowerPoint that allows an unauthenticated local attacker to execute arb
Microsoft Excel Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentica
Microsoft Word Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authenticat
Microsoft Office Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentic
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today