The vulnerability is a type confusion flaw in Microsoft Office applications that permits an attacker to execute code locally on the victim’s machine. By supplying data that is interpreted with an incompatible type, a malicious document can trigger arbitrary code execution. The flaw carries the CWE‑416 designation, indicating unsafe or unverifiable type handling. Successful exploitation would give the attacker full privileges on the affected computer, allowing data exfiltration, persistence, or lateral movement within the environment.

The flaw affects several Microsoft Office and SharePoint products, including Microsoft 365 Apps for Enterprise, Office 2019, Office 2021, Office 2024, the macOS versions of Office 2019, 2021, 2024, Word 2016, and SharePoint Enterprise Server 2016, SharePoint Server 2019, SharePoint Server Subscription Edition. Only the product names are provided; no specific version details are listed. Organizations using any of these applications are potentially at risk.

With a CVSS score of 8.4 the vulnerability is considered high severity. EPSS score is not available, so the probability of exploitation cannot be quantified. The flaw is not recorded in the CISA KEV catalog, but the combination of a local code‑execution state and the prevalence of Office environments means the threat is still significant. The likely attack vector is local via opening a specially crafted document or email attachment, inferred from the description; no remote network exploitation is described. Once executed, code runs with the privileges of the user, potentially compromising the entire system.