Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-24075

CVE-2025-24075: Microsoft 365 Apps Buffer Overflow Flaw

CVE-2025-24075 is a stack-based buffer overflow vulnerability in Microsoft Office Excel that enables attackers to execute arbitrary code locally. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-24075 Overview

CVE-2025-24075 is a stack-based buffer overflow vulnerability [CWE-121] affecting Microsoft Office Excel and related Office products. An attacker can execute arbitrary code on a target system when a user opens a maliciously crafted Excel document. The flaw resides in Excel's file parsing logic, where insufficient bounds checking on a stack buffer allows attacker-controlled data to overwrite adjacent stack memory, including saved return addresses.

The vulnerability requires local file access and user interaction, typically delivered through phishing campaigns that lure recipients into opening weaponized .xls or .xlsx attachments. Successful exploitation yields code execution in the context of the current user.

Critical Impact

Successful exploitation grants attackers arbitrary code execution in the user's security context, enabling credential theft, lateral movement, and ransomware deployment across enterprise environments.

Affected Products

  • Microsoft 365 Apps (Enterprise, x64 and x86)
  • Microsoft Excel 2016 (x64 and x86)
  • Microsoft Office 2019 (x64 and x86)
  • Microsoft Office Long Term Servicing Channel 2021 and 2024 (Windows and macOS)
  • Microsoft Office Online Server

Discovery Timeline

  • 2025-03-11 - CVE CVE-2025-24075 published to NVD
  • 2025-07-02 - Last updated in NVD database

Technical Details for CVE-2025-24075

Vulnerability Analysis

The vulnerability is classified as a stack-based buffer overflow [CWE-121] in Microsoft Office Excel. Excel parses complex binary file structures including BIFF records, OLE compound documents, and embedded objects. When processing a malformed record, the parser copies attacker-controlled data into a fixed-size stack buffer without validating the source length against the destination capacity.

The overflow overwrites adjacent stack frames, including the saved return address and stack canaries when present. An attacker who controls the overflowed data can redirect execution flow to a Return-Oriented Programming (ROP) chain or shellcode, achieving arbitrary code execution under the privileges of the Excel process.

The attack vector is local and requires user interaction, meaning the victim must open the crafted document. Excel's Protected View mitigates some exploitation paths, but users routinely enable editing on documents from trusted-looking sources. The EPSS probability of 0.645% reflects moderate exploitation likelihood for an Office parser bug.

Root Cause

The root cause is missing or insufficient bounds validation in an Excel file format parser routine. The function trusts a length field from the input document and writes into a fixed-size stack buffer without verifying the value remains within safe limits.

Attack Vector

Attackers deliver crafted Excel files through email attachments, malicious websites, SharePoint shares, or removable media. When a user opens the file and dismisses Protected View, the parser processes the malicious record and triggers the overflow. The vulnerability does not require authentication on the target system beyond the user's normal session.

No public proof-of-concept code is currently available, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog. Refer to the Microsoft Security Update CVE-2025-24075 advisory for vendor-specific technical details.

Detection Methods for CVE-2025-24075

Indicators of Compromise

  • Unexpected child processes spawned by excel.exe, particularly cmd.exe, powershell.exe, rundll32.exe, or mshta.exe
  • Excel process crashes with exception codes indicating stack corruption such as 0xC0000409 (STATUS_STACK_BUFFER_OVERRUN)
  • Outbound network connections originating from excel.exe to untrusted destinations shortly after document open
  • Creation of executable files or scripts in %TEMP%, %APPDATA%, or %PUBLIC% by the Office process

Detection Strategies

  • Monitor for anomalous process trees where excel.exe is the parent of script interpreters or LOLBins
  • Apply behavioral analytics that flag Office applications writing to disk in autostart locations or registry Run keys
  • Inspect email gateways and proxies for Excel attachments with suspicious macros, embedded objects, or malformed BIFF structures
  • Correlate Windows Error Reporting telemetry for repeated Excel crashes across multiple endpoints

Monitoring Recommendations

  • Enable Microsoft Defender Attack Surface Reduction rules that block Office applications from creating child processes and executable content
  • Forward Sysmon process creation and image load events to a SIEM for hunt queries against Office process lineage
  • Track Office telemetry for documents that bypass Protected View through Mark-of-the-Web stripping

How to Mitigate CVE-2025-24075

Immediate Actions Required

  • Apply the March 2025 Microsoft security updates to all affected Office and Microsoft 365 Apps installations without delay
  • Inventory endpoints running Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps to confirm patch coverage
  • Enforce Protected View and Block Macros from the Internet through Group Policy for all Office applications
  • Restrict opening of Excel attachments from external senders at the email gateway pending patch deployment

Patch Information

Microsoft released a security update addressing CVE-2025-24075 as part of the March 2025 Patch Tuesday cycle. Administrators should consult the Microsoft Security Update CVE-2025-24075 advisory for build numbers specific to each Office channel and apply updates through Microsoft Update, WSUS, Intune, or Microsoft 365 Apps servicing.

Workarounds

  • Configure Office File Block policy to prevent opening legacy Excel binary formats from untrusted locations
  • Deploy Attack Surface Reduction rule D4F940AB-401B-4EFC-AADC-AD5F3C50688A to block Office child process creation
  • Train users to report unsolicited Excel attachments and avoid disabling Protected View on documents from external sources
bash
# Enable ASR rule to block Office apps from creating child processes (PowerShell)
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled

# Enforce Protected View for files originating from the Internet (Registry)
reg add "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" /v DisableInternetFilesInPV /t REG_DWORD /d 0 /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne