Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-30379

CVE-2025-30379: Microsoft 365 Apps RCE Vulnerability

CVE-2025-30379 is a remote code execution flaw in Microsoft Office Excel that allows attackers to execute unauthorized code locally. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-30379 Overview

CVE-2025-30379 is a local code execution vulnerability in Microsoft Office Excel caused by the release of an invalid pointer or reference [CWE-763]. An attacker who crafts a malicious Excel document can execute arbitrary code in the context of the user opening the file. Exploitation requires user interaction, typically through opening a weaponized spreadsheet delivered via phishing or a file share. The flaw affects multiple Microsoft Office product lines including Microsoft 365 Apps, Excel 2016, Office 2019, Office Long Term Servicing Channel 2021 and 2024, and Office Online Server.

Critical Impact

Successful exploitation yields full confidentiality, integrity, and availability impact on the host, enabling arbitrary code execution under the targeted user's privileges.

Affected Products

  • Microsoft 365 Apps (Enterprise)
  • Microsoft Excel 2016 and Microsoft Office 2019
  • Microsoft Office Long Term Servicing Channel 2021 and 2024 (Windows and macOS), Microsoft Office Online Server

Discovery Timeline

  • 2025-05-13 - CVE-2025-30379 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-30379

Vulnerability Analysis

The vulnerability is classified under [CWE-763] Release of Invalid Pointer or Reference. Microsoft Excel mishandles a pointer or object reference during the processing of a crafted spreadsheet, leading to memory corruption. When the application releases a pointer that does not reference a valid allocation, the underlying allocator state becomes inconsistent. Attackers can manipulate this state through controlled spreadsheet content to redirect execution into attacker-supplied data.

The vulnerability has an attack vector of Local with required user interaction. The user must open a malicious .xlsx, .xls, or related Office document. Exploitation does not require prior authentication on the target host beyond the user's normal session. Code execution occurs in the security context of the user account running Excel.

Root Cause

The root cause lies in Excel's object lifecycle management when parsing structured spreadsheet content. A code path releases or dereferences a pointer that was not properly initialized or that references freed or invalid memory. Memory corruption primitives derived from this condition allow control-flow hijacking inside the Excel process.

Attack Vector

Attackers typically deliver the malicious workbook through email attachments, collaboration platforms, or compromised file shares. When the targeted user opens the file in a vulnerable Excel build, the parser triggers the invalid pointer release. The resulting code execution runs without elevation and inherits the user's permissions on local files, network shares, and authentication tokens.

No verified public proof-of-concept code is available for CVE-2025-30379 at this time. Technical specifics are detailed in the Microsoft Security Update CVE-2025-30379 advisory.

Detection Methods for CVE-2025-30379

Indicators of Compromise

  • Unexpected child processes spawned by EXCEL.EXE, such as cmd.exe, powershell.exe, rundll32.exe, or mshta.exe.
  • Excel processes writing executable content to user-writable paths like %APPDATA%, %TEMP%, or %LOCALAPPDATA%.
  • Outbound network connections initiated directly by EXCEL.EXE to untrusted external hosts shortly after document open.
  • Crash events or Windows Error Reporting entries referencing access violations inside Office DLLs after opening a spreadsheet.

Detection Strategies

  • Hunt for process lineage where EXCEL.EXE is the parent of script interpreters or living-off-the-land binaries.
  • Inspect Office telemetry for documents triggering Protected View bypass attempts or macro-less code execution patterns.
  • Correlate inbound email attachments containing Excel files with subsequent suspicious process activity on the recipient host.

Monitoring Recommendations

  • Enable Microsoft Defender Attack Surface Reduction rules that block Office applications from creating child processes and writing executable content.
  • Forward Sysmon process creation, image load, and file write events from endpoints running Office to a centralized SIEM.
  • Track Office build numbers across the fleet to confirm patch coverage and surface unpatched hosts.

How to Mitigate CVE-2025-30379

Immediate Actions Required

  • Apply the security update referenced in the Microsoft Security Update CVE-2025-30379 advisory to all affected Office installations.
  • Prioritize patching for users who routinely receive external spreadsheets, including finance, procurement, and executive assistants.
  • Verify that Microsoft 365 Apps update channels are not paused and that Office Online Server instances receive the corresponding server-side update.

Patch Information

Microsoft has released fixes through the standard Office and Microsoft 365 update channels. Administrators should consult the vendor advisory for specific build numbers covering Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Office Online Server. Confirm deployment via File > Account > About Excel or through Microsoft Endpoint Manager reports.

Workarounds

  • Enforce Protected View and Office File Block policies for spreadsheets originating from the internet or email attachments.
  • Disable opening of legacy .xls binary formats from untrusted sources via Group Policy where business processes allow.
  • Restrict execution of Office child processes through Attack Surface Reduction rules until patches are deployed.
bash
# Example: enable ASR rule blocking Office apps from creating child processes
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
                 -AttackSurfaceReductionRules_Actions Enabled

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne