CVE-2025-26642: Microsoft 365 Apps RCE Vulnerability

CVE-2025-26642 Overview

CVE-2025-26642 is an out-of-bounds read vulnerability in Microsoft Office that allows an unauthorized attacker to execute code locally. The flaw, classified under [CWE-125], affects multiple Microsoft Office products including Microsoft 365 Apps, Excel, Access, SharePoint Server, and Office Online Server. Exploitation requires user interaction, typically through opening a maliciously crafted Office document. Successful exploitation grants the attacker the ability to run arbitrary code in the context of the current user.

Critical Impact

An attacker who tricks a user into opening a crafted Office file can execute arbitrary code, leading to full compromise of confidentiality, integrity, and availability on the target system.

Affected Products

• Microsoft 365 Apps (Enterprise, x64 and x86)
• Microsoft Office 2016, 2019, and Office Long Term Servicing Channel 2021 and 2024 (Windows and macOS)
• Microsoft Access 2016, Excel 2016, Office Online Server, and SharePoint Server 2019

Discovery Timeline

• 2025-04-08 - CVE-2025-26642 published to NVD
• 2025-07-09 - Last updated in NVD database

Technical Details for CVE-2025-26642

Vulnerability Analysis

The vulnerability is an out-of-bounds read [CWE-125] in Microsoft Office's parsing routines. When Office processes a specially crafted document, it reads memory beyond the bounds of an allocated buffer. The attacker can leverage this read primitive to leak memory contents or, when combined with other conditions, redirect execution flow.

Exploitation results in local code execution under the privileges of the user who opened the document. Because Office is commonly used to handle untrusted email attachments and downloaded files, the attack surface is broad. The Exploit Prediction Scoring System rates the likelihood of exploitation in the near term as moderate.

Root Cause

The root cause is improper validation of length or boundary fields within an Office file format structure. When Office parses the malformed structure, it dereferences memory addresses outside the intended buffer. This out-of-bounds read can corrupt control data used later by the application, producing an exploitable condition.

Attack Vector

The attack vector is local and requires user interaction. An attacker delivers a crafted Office document, typically via phishing email, malicious website download, or a SharePoint-hosted file. Upon opening, Office parses the file and triggers the out-of-bounds read. No authentication is required from the attacker, and the vulnerability does not need elevated privileges to exploit.

No public proof-of-concept code is available for CVE-2025-26642 at the time of writing. Refer to the Microsoft Security Update CVE-2025-26642 advisory for vendor technical details.

Detection Methods for CVE-2025-26642

Indicators of Compromise

• Unexpected winword.exe, excel.exe, msaccess.exe, or other Office process spawning command interpreters such as cmd.exe, powershell.exe, or wscript.exe.
• Office applications writing executable files or scripts to user-writable directories such as %TEMP%, %APPDATA%, or %PUBLIC%.
• Office processes making outbound network connections to untrusted external hosts shortly after document open.

Detection Strategies

• Hunt for child-process relationships where Office binaries launch scripting engines or LOLBins, which is a strong indicator of document-based exploitation.
• Inspect inbound email and file-share traffic for Office documents that contain unusually malformed structures or trigger Office parser errors.
• Correlate Office crash telemetry (Windows Error Reporting, WerFault.exe events) with subsequent suspicious process activity on the same host.

Monitoring Recommendations

• Enable Microsoft Defender Attack Surface Reduction rules that block Office applications from creating child processes and executable content.
• Forward Sysmon process-creation, image-load, and network-connection events to a centralized analytics platform for correlation.
• Monitor SharePoint Server and Office Online Server logs for anomalous document upload patterns and parser exceptions.

How to Mitigate CVE-2025-26642

Immediate Actions Required

• Apply the April 2025 Microsoft security updates referenced in the Microsoft Security Update CVE-2025-26642 advisory to all affected Office installations.
• Prioritize patching of SharePoint Server 2019 and Office Online Server because they expose document parsing to a broader user base.
• Verify that Microsoft 365 Apps clients are on a supported update channel and have received the latest cumulative update.

Patch Information

Microsoft has released security updates for all affected products. Consult the Microsoft Security Update CVE-2025-26642 advisory for KB article numbers, build numbers, and download links specific to each Office channel and version.

Workarounds

• Enforce Protected View and Block Macros from Running in Office Files from the Internet via Group Policy to reduce the chance of automatic parsing of attacker-controlled files.
• Restrict opening of Office documents originating from email or the internet by enabling Mark-of-the-Web enforcement and configuring File Block policies for legacy formats.
• Deliver targeted user awareness training so recipients verify document sources before opening attachments from unknown senders.

# Group Policy registry example: enforce Protected View for files from the internet (Excel)
reg add "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" /v DisableInternetFilesInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" /v DisableAttachmentsInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" /v DisableUnsafeLocationsInPV /t REG_DWORD /d 0 /f