Description
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Published: 2025-12-09
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local code execution
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free bug in Microsoft Excel allows an attacker to execute code locally on the affected machine. The flaw can be triggered by opening a crafted Excel file, leading to arbitrary code running under the victim’s user account. The weakness is classified as CWE‑416, which indicates that memory is accessed after it has already been freed, enabling the attacker to exploit unpredictable program state.

Affected Systems

Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2019, Microsoft Office LTSC 2021 and 2024, Microsoft Office LTSC for Mac 2021 and 2024 are all impacted. Version details are not specified in the advisory, implying the vulnerability exists across the listed releases.

Risk and Exploitability

The CVSS score of 7.8 marks this as a high‑severity issue. The EPSS score of less than 1% suggests that, as of the last assessment, exploitation is unlikely but not impossible. The vulnerability is not currently listed in CISA’s KEV catalog. Likely attack vectors involve a malicious Excel workbook or macro that a user opens locally, allowing the attacker to run arbitrary code on the machine.

Generated by OpenCVE AI on April 20, 2026 at 16:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft security update for CVE-2025-62553 as outlined in the Microsoft Security Update Guide.
  • Configure Excel and Office to run in Protected View for documents originating from untrusted locations and enforce strict macro security settings.
  • As a temporary measure, avoid opening or executing macros in untrusted Excel files and consider disabling Add‑ins or features that might trigger the use‑after‑free flaw until a patch is available.

Generated by OpenCVE AI on April 20, 2026 at 16:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft excel
Microsoft office
Microsoft office Long Term Servicing Channel
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*
Vendors & Products Microsoft excel
Microsoft office
Microsoft office Long Term Servicing Channel

Tue, 09 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Description Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Title Microsoft Excel Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-416
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:excel_2016:*:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft excel 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Excel Excel 2016 Office Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-16T14:18:50.921Z

Reserved: 2025-10-15T17:11:21.219Z

Link: CVE-2025-62553

cve-icon Vulnrichment

Updated: 2025-12-09T20:14:07.315Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-09T18:16:00.453

Modified: 2025-12-09T19:36:10.630

Link: CVE-2025-62553

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:15:11Z

Weaknesses