CVE-2025-24080 Overview
CVE-2025-24080 is a use-after-free vulnerability in Microsoft Office that allows an unauthorized attacker to execute code locally. The flaw, classified under [CWE-416], affects multiple Office editions including Microsoft 365 Apps, Office 2016, Office 2019, and Office Long Term Servicing Channel 2021 and 2024. Successful exploitation requires user interaction, typically by convincing a victim to open a crafted Office document. Attackers who exploit the issue gain code execution in the context of the current user, leading to potential compromise of confidentiality, integrity, and availability on the affected host.
Critical Impact
Local code execution in Microsoft Office through a use-after-free condition triggered by a malicious document, affecting widely deployed Microsoft 365 Apps and Office LTSC builds.
Affected Products
- Microsoft 365 Apps (x64 and x86, Enterprise)
- Microsoft Office 2016 and Office 2019 (x64 and x86)
- Microsoft Office Long Term Servicing Channel 2021 and 2024 (x64 and x86)
Discovery Timeline
- 2025-03-11 - CVE-2025-24080 published to the National Vulnerability Database
- 2025-03-11 - Microsoft published advisory for CVE-2025-24080
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-24080
Vulnerability Analysis
The vulnerability is a use-after-free condition in Microsoft Office. Use-after-free flaws occur when a program continues to reference memory after it has been freed, allowing an attacker to influence the contents of that memory region before the dangling pointer is dereferenced. In Office, this class of bug is typically reached when a crafted document causes the application to release an internal object while another code path still holds a reference to it. When the freed object is later accessed, attacker-controlled data in the reclaimed allocation can redirect execution flow.
Exploitation runs in the context of the user who opens the document. On hosts where the user has administrative rights, the attacker inherits those rights. The advisory indicates that no privileges are required and the attack complexity is low, but user interaction is required to open the malicious file. Network propagation is not native to the bug, though phishing and malicious attachments are practical delivery mechanisms.
Root Cause
The root cause is improper object lifetime management within the Office document parsing or rendering path, consistent with [CWE-416] Use After Free. A freed object is referenced again, enabling memory corruption when an attacker grooms the heap with controlled data.
Attack Vector
An attacker delivers a crafted Office document to a victim through email, web download, or shared storage. When the user opens the file, parsing logic frees an internal structure prematurely. Subsequent operations dereference the stale pointer, allowing the attacker to execute arbitrary code locally. Refer to the Microsoft Security Update CVE-2025-24080 for vendor-specific technical detail.
// No verified public proof-of-concept code is available for CVE-2025-24080.
// See the Microsoft Security Response Center advisory for technical guidance.
Detection Methods for CVE-2025-24080
Indicators of Compromise
- Office processes (winword.exe, excel.exe, powerpnt.exe) spawning script interpreters or shells such as cmd.exe, powershell.exe, wscript.exe, or mshta.exe.
- Unexpected child processes or DLL loads from Office binaries shortly after a user opens an attachment.
- Outbound network connections initiated by Office applications to untrusted hosts.
- Crash or Watson telemetry referencing access violations inside Office modules following document open.
Detection Strategies
- Hunt for parent-child relationships where Microsoft Office is the parent of LOLBins or scripting engines.
- Monitor for Office processes writing executables, scripts, or scheduled task artifacts to disk.
- Correlate document open events with subsequent process injection, persistence, or credential access behavior.
Monitoring Recommendations
- Enable and forward Microsoft Defender, Sysmon, and EDR telemetry for Office process trees.
- Alert on Office add-ins or templates loaded from non-standard paths.
- Track email gateway telemetry for inbound documents with macros, embedded objects, or unusual file types.
How to Mitigate CVE-2025-24080
Immediate Actions Required
- Apply the Microsoft security updates referenced in the MSRC advisory for CVE-2025-24080 across all affected Office and Microsoft 365 Apps installations.
- Inventory endpoints running Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps to confirm patch state.
- Block or quarantine inbound Office documents from external senders pending remediation.
Patch Information
Microsoft has published a security update addressing CVE-2025-24080. Administrators should deploy the update via Microsoft Update, Windows Server Update Services (WSUS), Microsoft Intune, or the Click-to-Run channel applicable to Microsoft 365 Apps. Validate the build number on each affected client after deployment using File > Account > About in any Office application.
Workarounds
- Enforce Protected View and Office Application Guard for documents originating from the internet or email.
- Disable or restrict legacy file formats and Office macros through Group Policy and Microsoft 365 Cloud Policy.
- Apply Attack Surface Reduction (ASR) rules that block Office applications from creating child processes and from injecting code into other processes.
# Example: enable ASR rule to block Office child process creation
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
-AttackSurfaceReductionRules_Actions Enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
