Description
Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.
Published: 2025-12-09
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution
Action: Immediate Patch
AI Analysis

Impact

Microsoft Office contains a type confusion flaw that makes the program handle an object of one type as if it were another. Classified as CWE‑843, the vulnerability can be abused to trigger local code execution, granting an attacker the same privileges as the user and potentially compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

Affected products include Microsoft 365 Apps for Enterprise, Microsoft Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, Office LTSC for Mac 2021, Office LTSC for Mac 2024, and Office for Android across multiple architectures. The CNA lists these product families but does not provide specific release qualifiers beyond the product names, so any installation from these lines is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 8.4 the vulnerability is classified as high severity. The EPSS score of less than 1% indicates a very low current probability of exploitation, and the vulnerability is not listed in CISA's KEV catalog. Based on the description, it is inferred that the attacker must deliver a malicious Office file to a user who then opens or loads the file in an affected application. Once the type confusion is triggered, local code execution can occur, allowing the attacker to run arbitrary code with the user's privileges.

Generated by OpenCVE AI on April 20, 2026 at 16:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft security updates for all affected Office releases as described on the Microsoft Security Response Center update guide.
  • Enable and configure automatic updates for the Office suite and the underlying operating system to ensure that future fixes are applied promptly.
  • Limit exposure to unfamiliar Office documents by enforcing Protected View, disabling macros, and using reputable email filtering and attachment sandboxing solutions to block malicious files before they reach the user.

Generated by OpenCVE AI on April 20, 2026 at 16:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Dec 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office Long Term Servicing Channel
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:office:-:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*
Vendors & Products Microsoft office Long Term Servicing Channel

Tue, 09 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Description Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.
Title Microsoft Office Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office
Microsoft office 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-843
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office:*:*:android:*:*:*:*:*
cpe:2.3:a:microsoft:office_2016:*:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office
Microsoft office 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office Office 2016 Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-16T14:18:51.572Z

Reserved: 2025-10-15T17:11:21.220Z

Link: CVE-2025-62554

cve-icon Vulnrichment

Updated: 2025-12-09T20:13:59.836Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-09T18:16:00.620

Modified: 2025-12-10T18:37:25.813

Link: CVE-2025-62554

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:15:11Z

Weaknesses