Description
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Published: 2025-12-09
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw in Microsoft Office Word that lets an attacker execute code locally. An attacker who can place a malicious document into a target environment can trigger the flaw when the document is processed, leading to arbitrary code execution on the victim machine. The flaw compromises confidentiality, integrity and availability of the affected workstation, and can be leveraged to gain persistent footholds.

Affected Systems

The flaw affects several Microsoft products, including Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Microsoft Office LTSC editions of 2021 and 2024 (both Windows and Mac), Microsoft Word 2016, and SharePoint Server 2016 and 2019. Version numbers are not specified in the advisory; the affected configurations are all current releases of these products.

Risk and Exploitability

The CVSS v3 score is 7.8, indicating significant impact. The EPSS score is less than 1%, suggesting exploitation probability is currently low, and it is not listed in CISA KEV. Based on the description, the likely attack vector is local file execution: an attacker must supply a crafted Office file that the user opens or that triggers the processing engine. No network exposure is described, so exploitation is limited to environments where a user can be tricked or induced to open the malicious document.

Generated by OpenCVE AI on April 20, 2026 at 15:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft Office security update that addresses CVE‑2025‑62558 as published on the Microsoft Security Update Guide.
  • Ensure that all affected Office and SharePoint installations are updated to the latest cumulative update; if updates are not yet available, verify the vendor’s release schedule for the next advisory.
  • Configure Microsoft 365 Apps and Office to receive automatic updates so future patches are applied promptly.

Generated by OpenCVE AI on April 20, 2026 at 15:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Dec 2025 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft sharepoint Server
Microsoft word
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:x86:*
Vendors & Products Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft sharepoint Server
Microsoft word

Tue, 09 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Description Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Title Microsoft Word Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Microsoft word 2016
Weaknesses CWE-416
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:word_2016:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Microsoft word 2016
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024 Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019 Word Word 2016
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-16T14:18:53.928Z

Reserved: 2025-10-15T17:11:21.220Z

Link: CVE-2025-62558

cve-icon Vulnrichment

Updated: 2025-12-09T20:13:29.777Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-09T18:16:01.300

Modified: 2025-12-10T15:39:36.247

Link: CVE-2025-62558

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:45:10Z

Weaknesses