CVE-2025-27748: Microsoft 365 Apps Use After Free Flaw

CVE-2025-27748 Overview

CVE-2025-27748 is a use-after-free vulnerability [CWE-416] in Microsoft Office that allows an unauthorized attacker to execute arbitrary code locally. The flaw affects multiple Microsoft Office product lines, including Microsoft 365 Apps, Office 2016, Office 2019, and Office Long Term Servicing Channel (LTSC) 2021 and 2024 on both Windows and macOS. Exploitation requires user interaction, typically by opening a crafted Office document. Successful exploitation grants the attacker the same privileges as the local user, resulting in high impact to confidentiality, integrity, and availability.

Critical Impact
An attacker who successfully exploits this vulnerability can execute arbitrary code in the context of the current user, enabling installation of programs, data theft, or creation of new accounts with user rights.

Affected Products

Microsoft 365 Apps (Enterprise)
Microsoft Office 2016 and Office 2019
Microsoft Office LTSC 2021 and 2024 (Windows and macOS)

Discovery Timeline

2025-04-08 - CVE-2025-27748 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-27748

Vulnerability Analysis

The vulnerability is a use-after-free condition [CWE-416] in Microsoft Office. Use-after-free flaws occur when a program continues to reference memory after it has been freed, allowing an attacker to manipulate the contents of the freed allocation. When the dangling pointer is dereferenced, the attacker can redirect execution flow or corrupt application state.

In the context of Microsoft Office, parsing of malformed document objects can trigger premature deallocation of memory while internal references remain in use. An attacker who controls the layout of the freed region can place crafted data structures into the same memory location to hijack control flow. This results in arbitrary code execution within the Office process.

The attack vector is local and requires user interaction, meaning the victim must open a malicious document delivered via email, web download, or shared storage. No elevated privileges are required for the attacker to deliver the payload, and exploitation runs at the privilege level of the user who opens the file.

Root Cause

The root cause is improper management of object lifetimes within Office's document parsing logic. A reference to an object is retained and later dereferenced after the underlying memory has been released, creating an exploitable dangling pointer condition.

Attack Vector

An attacker crafts a malicious Office document and delivers it to the target through phishing or another social engineering channel. When the user opens the file, Office processes the crafted content and triggers the use-after-free, leading to code execution in the user's security context. See the Microsoft Security Update CVE-2025-27748 advisory for vendor details.

No public proof-of-concept exploit has been published, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is approximately 1.024% (59th percentile) as of June 2026.

Detection Methods for CVE-2025-27748

Indicators of Compromise

Office applications (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE) spawning unexpected child processes such as cmd.exe, powershell.exe, wscript.exe, or mshta.exe.
Office processes writing executable files to user-writable paths (%TEMP%, %APPDATA%, %LOCALAPPDATA%).
Unexpected outbound network connections initiated by Office processes shortly after opening a document.
Crash reports or Windows Error Reporting events referencing access violations in Office binaries.

Detection Strategies

Hunt for parent-child process relationships where Office binaries launch scripting or LOLBin processes.
Monitor for DLL loads from unusual directories within Office process memory space.
Inspect inbound email attachments with Office file extensions for embedded objects, OLE streams, or active content anomalies.

Monitoring Recommendations

Enable Microsoft Defender Attack Surface Reduction (ASR) rules and forward telemetry to a centralized SIEM or data lake.
Collect Sysmon Event IDs 1 (process creation), 7 (image load), and 11 (file create) from endpoints running Office.
Correlate endpoint process telemetry with email gateway logs to identify the initial delivery vector.

How to Mitigate CVE-2025-27748

Immediate Actions Required

Apply the security update referenced in the Microsoft Security Update CVE-2025-27748 advisory to all affected Office installations.
Inventory endpoints running Microsoft 365 Apps, Office 2016/2019, and Office LTSC 2021/2024 to prioritize patch deployment.
Reinforce user awareness regarding unsolicited Office attachments and links.

Patch Information

Microsoft has released updates addressing CVE-2025-27748 through the standard update channels. Refer to the Microsoft Security Update CVE-2025-27748 advisory for the specific build numbers applicable to each product channel, including Click-to-Run and MSI-based deployments.

Workarounds

Enable Protected View and Office Application Guard to isolate documents originating from the internet or email.
Configure ASR rules to block Office applications from creating child processes and from injecting code into other processes.
Block macros from running in Office files downloaded from the internet through Group Policy.

bash

# Example Group Policy registry settings to block child process creation from Office
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" /v "D4F940AB-401B-4EFC-AADC-AD5F3C50688A" /t REG_SZ /d 1 /f