Impact
The vulnerability exists in Microsoft Word where untrusted input is used in a security decision, allowing an unauthorized local user to bypass a built‑in security feature. The bypass could potentially enable the execution of content that is normally blocked, thereby affecting confidentiality, integrity, or availability of the system. Based on the description, it is inferred that the payload could be used to trigger code or data that would otherwise be prevented by the security mechanism.
Affected Systems
The affected products are Microsoft 365 Apps for Enterprise, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and the macOS editions Microsoft Office LTSC for Mac 2021 and Microsoft Office LTSC for Mac 2024. No specific version ranges are provided by the CNA; consequently, any installation of these suites is considered vulnerable until a patch is released.
Risk and Exploitability
The CVSS score of 7.8 indicates high severity. An EPSS score of 2% denotes a low but non‑negligible likelihood of exploitation. The vulnerability is listed in the CISA KEV catalog, confirming active exploitation. The attacker must already have local access; there is no disclosed remote attack vector. The likely attack vector is local privilege compromise or a malicious local document.
OpenCVE Enrichment