Description
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Published: 2025-12-09
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Local code execution via use‑after‑free
Action: Immediate patch
AI Analysis

Impact

A use‑after‑free flaw in Microsoft Word allows an attacker to execute arbitrary code locally on a system that processes a malicious document. The vulnerability is a classic CWE‑416 issue that can compromise the confidentiality and integrity of the host environment, potentially enabling privilege escalation if Word runs with elevated rights.

Affected Systems

Affected products include Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC for Mac 2024, Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft Word 2016. Specific version details were not supplied; the vulnerability exists across the listed Office and SharePoint releases.

Risk and Exploitability

The CVSS score of 7 indicates a high severity vulnerability, while the EPSS score of less than 1% suggests low to moderate exploitation likelihood at present. Yet the flaw remains critical because it can be triggered by a local document, which attackers can obtain via phishing or compromised sites. The vulnerability is not listed in CISA's KEV catalog, but its presence in widely deployed Microsoft products makes the impact significant for enterprises that have not yet applied the official fix.

Generated by OpenCVE AI on April 20, 2026 at 15:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security update for CVE‑2025‑62555 released by Microsoft; the update is documented at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62555
  • Configure Office to disable macros by default and block opening of untrusted documents automatically, reducing the risk of exploitation through malicious files
  • Maintain the latest OS and Office service packs, ensuring that all security updates are installed promptly; regularly review Microsoft Update catalog for new patches

Generated by OpenCVE AI on April 20, 2026 at 15:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Dec 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft sharepoint Server
Microsoft word
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x86:*
Vendors & Products Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft sharepoint Server
Microsoft word

Tue, 09 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Description Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Title Microsoft Word Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Microsoft word 2016
Weaknesses CWE-416
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:word_2016:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Microsoft word 2016
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024 Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019 Word Word 2016
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-16T14:18:52.184Z

Reserved: 2025-10-15T17:11:21.220Z

Link: CVE-2025-62555

cve-icon Vulnrichment

Updated: 2025-12-09T20:13:52.376Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-09T18:16:00.790

Modified: 2025-12-10T18:32:58.360

Link: CVE-2025-62555

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:00:10Z

Weaknesses