Description
Relative path traversal in Microsoft Office Access allows an unauthorized attacker to execute code locally.
Published: 2025-12-09
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A relative path traversal flaw in Microsoft Office Access enables an unauthorized attacker to execute arbitrary code on the local machine. The vulnerability arises when Access processes file paths that are not fully validated, allowing crafted paths to access sensitive files or directories and trigger code execution, potentially compromising confidentiality, integrity, and availability on the host system. The weakness aligns with CWE‑23, highlighting improper handling of paths.

Affected Systems

The flaw affects Microsoft 365 Apps for Enterprise, Microsoft Access 2016 (including the 32‑bit edition), Microsoft Office 2019, Microsoft Office LTSC 2021, and Microsoft Office LTSC 2024. Specific affected release or patch levels are not detailed in the available data.

Risk and Exploitability

With a CVSS score of 7.8, the vulnerability is rated moderate‑high severity, yet the EPSS score of less than 1% indicates a low probability of exploitation at present. It is not listed in the CISA KEV catalog. The likely attack vector is local: an attacker must supply or trick the target into opening a specially crafted Access file or attempt to perform the traversal on a machine that has the vulnerable application installed. No network‑based exploitation path is indicated in the description.

Generated by OpenCVE AI on April 20, 2026 at 15:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Microsoft security update that addresses CVE‑2025‑62552 on all affected Microsoft Office products via the Microsoft Update service or Individual Update Release site.
  • Configure Group Policy to disable or restrict the use of macros and external drivers that could be leveraged to execute code from Access files, ensuring that only trusted code runs.
  • Enforce file type restrictions or set folder access controls to prevent the application from processing untrusted .accdb files by limiting which directories Access can access or by using application whitelisting.

Generated by OpenCVE AI on April 20, 2026 at 15:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft access
Microsoft office
Microsoft office Long Term Servicing Channel
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:access:2016:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
Vendors & Products Microsoft access
Microsoft office
Microsoft office Long Term Servicing Channel

Tue, 09 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Description Relative path traversal in Microsoft Office Access allows an unauthorized attacker to execute code locally.
Title Microsoft Access Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft access 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Weaknesses CWE-23
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:access_2016:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft access 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Access Access 2016 Office Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-16T14:18:50.282Z

Reserved: 2025-10-15T17:11:21.219Z

Link: CVE-2025-62552

cve-icon Vulnrichment

Updated: 2025-12-09T20:14:13.819Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-09T18:16:00.287

Modified: 2025-12-09T19:34:42.550

Link: CVE-2025-62552

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:00:10Z

Weaknesses