EUVD-2025-17735
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
Analysis
Use-after-free (UAF) vulnerability in Microsoft Office that allows unauthenticated local attackers to execute arbitrary code with no user interaction required. The vulnerability affects multiple Microsoft Office versions and has a CVSS score of 8.4 (High), indicating severe risk with high impact to confidentiality, integrity, and availability. Without publicly disclosed EPSS data or KEV confirmation provided, the actual exploitation likelihood in the wild remains unconfirmed, though the local attack vector and lack of privilege/interaction requirements suggest moderate real-world exploitability once weaponized.
Technical Context
This vulnerability is a use-after-free (CWE-416) flaw in Microsoft Office—a memory safety issue where the application references memory that has already been freed. CWE-416 vulnerabilities occur when a program continues to use a pointer after the memory object it referenced has been deallocated, potentially allowing attackers to control the freed memory region and achieve code execution. In the Microsoft Office context, this likely occurs during document parsing, object lifecycle management, or COM component handling. The vulnerability requires local access (AV:L) to trigger, suggesting it may be exploitable through malicious Office documents opened locally or via local file system interaction. The complexity is low (AC:L), indicating the flaw does not require special conditions, race conditions, or user-specific configurations to trigger reliably.
Affected Products
Microsoft Office (specific versions not provided in available data, but typical affected product lines include Microsoft Word, Excel, PowerPoint, Access, Publisher, and Outlook across Office 2016, Office 2019, Microsoft 365 Apps for Enterprise, and potentially Office on Mac and Office for iPad). CPE string pattern would typically be: cpe:2.3:a:microsoft:office:*:*:*:*:*:*:*:* (with version constraints to be determined from official Microsoft Security Update Guide). Affected users should cross-reference Microsoft's official CVE page (microsoft.com/en-us/msrc) and the Security Update Guide (msrc.microsoft.com) for exact version/build numbers and patch availability.
Remediation
1. **Immediate patching**: Install the latest Microsoft Office security updates from Microsoft Security Update Guide (msrc.microsoft.com/update-guide) immediately upon availability. 2. **Temporary mitigation**: Restrict Office document opening from untrusted sources; disable Office macros (if applicable to UAF trigger); implement application whitelisting to limit Office.exe execution contexts. 3. **Workarounds**: Until patches are deployed, consider: disabling Office preview features in File > Options > Trust Center; using Office in sandboxed/containerized environments; restricting local file access permissions for Office processes. 4. **Monitoring**: Enable logging for Office process execution and memory corruption events (Windows Event Viewer, SIEM integration). 5. **Defense-in-depth**: Implement endpoint detection and response (EDR) solutions to detect unusual Office behavior, memory-corruption exploitation techniques, and post-exploitation activities.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today