CVE-2025-29820 Overview
CVE-2025-29820 is a use-after-free vulnerability [CWE-416] in Microsoft Office Word. An attacker can execute arbitrary code locally when a user opens a crafted Word document. The flaw affects Microsoft 365 Apps, Office 2016, Office 2019, Office Long Term Servicing Channel (LTSC) 2021 and 2024, and SharePoint Enterprise Server 2016. Exploitation requires user interaction but no privileges, allowing full compromise of confidentiality, integrity, and availability on the affected system. Microsoft published the advisory on April 8, 2025.
Critical Impact
Successful exploitation grants code execution in the context of the user opening the document, enabling malware installation, credential theft, and lateral movement from a single phishing lure.
Affected Products
- Microsoft 365 Apps (Enterprise, x86 and x64)
- Microsoft Office 2016 and Office 2019 (x86 and x64)
- Microsoft Office LTSC 2021 and 2024 (Windows and macOS), and SharePoint Enterprise Server 2016
Discovery Timeline
- 2025-04-08 - CVE-2025-29820 published to NVD and Microsoft advisory released
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-29820
Vulnerability Analysis
CVE-2025-29820 is a use-after-free condition in the Microsoft Word document parsing engine. Word references a heap object after it has been freed, allowing an attacker to control the contents of the reclaimed memory. When the dangling pointer is dereferenced, the attacker can hijack control flow and execute code within the Word process.
The attack vector is local and requires user interaction. A victim must open a malicious .doc, .docx, or .rtf file, or preview one where the Preview Pane triggers the vulnerable code path. Code executes at the privilege level of the current user, which on typical workstations includes access to user data, network resources, and persistence locations.
The issue also affects SharePoint Enterprise Server 2016, where server-side document handling can process attacker-supplied files. Combined with phishing, the flaw provides a reliable initial access primitive for endpoint compromise.
Root Cause
The root cause is improper lifetime management of a heap-allocated object during document parsing. A code path frees the object while another reference remains active. Subsequent operations dereference the stale pointer, and heap grooming with attacker-controlled content converts the memory-safety error into arbitrary code execution.
Attack Vector
Exploitation typically starts with a weaponized Word document delivered by email, chat, or web download. When the user opens the document, embedded objects, malformed structures, or crafted OLE streams trigger the vulnerable free-and-reuse sequence. The Word process then executes shellcode chosen by the attacker.
The vulnerability manifests during document parsing. No verified proof-of-concept code is publicly available. See the Microsoft CVE-2025-29820 Advisory for vendor technical details.
Detection Methods for CVE-2025-29820
Indicators of Compromise
- winword.exe or sharepoint-related worker processes spawning command interpreters such as cmd.exe, powershell.exe, or wscript.exe
- Unexpected child processes from Office applications writing executables to %APPDATA%, %TEMP%, or %PUBLIC%
- Outbound network connections initiated directly by winword.exe to untrusted domains shortly after a document open event
- Crash telemetry showing access violations in Word during document parsing, especially on heap addresses
Detection Strategies
- Hunt for Office process ancestry anomalies where winword.exe is the parent of scripting engines, LOLBins, or reconnaissance utilities such as whoami.exe and net.exe
- Correlate email gateway logs of Word attachments with subsequent endpoint alerts to identify weaponized delivery
- Inspect documents for embedded OLE objects, ActiveX controls, and unusual RTF control words consistent with heap-grooming payloads
Monitoring Recommendations
- Enable and forward Microsoft Defender ASR rule telemetry, particularly "Block all Office applications from creating child processes"
- Ingest Sysmon Event IDs 1, 3, 7, and 11 for Office binaries into a central SIEM for behavioral correlation
- Alert on unsigned or newly observed DLLs loaded into winword.exe and on Word crashes reported through Windows Error Reporting
How to Mitigate CVE-2025-29820
Immediate Actions Required
- Apply the April 2025 Microsoft security updates to all affected Office, Microsoft 365 Apps, and SharePoint 2016 installations
- Confirm patch deployment by validating file versions against the Microsoft CVE-2025-29820 Advisory build tables
- Prioritize endpoints belonging to high-risk users such as executives, finance, and IT administrators who frequently receive external documents
Patch Information
Microsoft released fixes for CVE-2025-29820 on April 8, 2025, delivered through the standard Microsoft Update, Click-to-Run, and Windows Server Update Services (WSUS) channels. SharePoint Enterprise Server 2016 requires the corresponding server security update. Verify installation with Get-HotFix or the Office "About" build information.
Workarounds
- Enable Protected View and Office File Block policy to force untrusted documents to open in a sandboxed, read-only state
- Disable the Outlook Preview Pane and configure email gateways to strip or quarantine macro-enabled and RTF attachments from external senders
- Apply Microsoft Defender Attack Surface Reduction rules blocking Office child process creation and executable content from email
# Configuration example: enforce ASR rules blocking Office child processes and executable email content
Set-MpPreference -AttackSurfaceReductionRules_Ids `
D4F940AB-401B-4EFC-AADC-AD5F3C50688A, `
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 `
-AttackSurfaceReductionRules_Actions Enabled, Enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

