CVE-2025-47957 Overview
CVE-2025-47957 is a use-after-free vulnerability [CWE-416] in Microsoft Office Word. The flaw allows an unauthorized attacker to execute code locally on affected systems. Microsoft published the advisory on June 10, 2025, covering Microsoft 365 Apps and Office Long Term Servicing Channel 2021 and 2024.
Attackers can trigger the vulnerability by convincing a user to open a crafted Word document. Successful exploitation results in code execution in the context of the current user. The EPSS data places this issue in a higher-than-average probability tier for near-term exploitation activity.
Critical Impact
Successful exploitation grants arbitrary code execution in the context of the user opening a malicious Word document, enabling full compromise of confidentiality, integrity, and availability on the affected host.
Affected Products
- Microsoft 365 Apps (Enterprise)
- Microsoft Office Long Term Servicing Channel 2021
- Microsoft Office Long Term Servicing Channel 2024
Discovery Timeline
- 2025-06-10 - CVE-2025-47957 published to NVD
- 2025-06-10 - Microsoft releases advisory and security update
- 2025-07-09 - Last updated in NVD database
Technical Details for CVE-2025-47957
Vulnerability Analysis
The vulnerability is a use-after-free condition [CWE-416] in Microsoft Office Word document parsing. Word allocates objects to represent document structures during file parsing. Under specific conditions, the application releases an object while retaining a reference to the freed memory. Subsequent operations dereference that stale pointer.
An attacker who controls the document content can shape the freed allocation and the reuse path. This allows replacement of the freed object with attacker-controlled data. When Word later uses the dangling reference, control flow can be redirected to attacker-supplied code.
The CWE-416 class typically enables arbitrary read, write, or virtual function pointer hijacking. In Office, this commonly results in code execution within the WINWORD.EXE process. The process then inherits the user's privileges and access to local resources.
Root Cause
The root cause is improper object lifetime management inside Word's document handling code. The application frees an object referenced by another structure without clearing or invalidating the reference. Reuse of the dangling pointer during continued parsing or rendering triggers the unsafe access.
Attack Vector
The attack vector is local and requires user interaction in practice. The attacker delivers a crafted .doc or .docx file through email, file share, or web download. Opening the document in a vulnerable version of Word triggers the parsing path that frees and later reuses the object. No additional privileges are required before exploitation.
No verified proof-of-concept code is publicly linked to this CVE in the available references. See the Microsoft CVE-2025-47957 Advisory for vendor-provided technical context.
Detection Methods for CVE-2025-47957
Indicators of Compromise
- WINWORD.EXE spawning unusual child processes such as cmd.exe, powershell.exe, wscript.exe, or rundll32.exe.
- Word processes performing outbound network connections to untrusted destinations shortly after document open.
- Unexpected file writes to %APPDATA%, %TEMP%, or Startup folders originating from WINWORD.EXE.
- Crash dumps or Watson reports referencing access violations within Word's parsing components.
Detection Strategies
- Hunt for parent-child process anomalies where Office binaries launch scripting interpreters or LOLBins.
- Inspect Word document attachments for malformed structures, embedded objects, or unusual OLE streams before delivery.
- Use behavioral analytics to flag memory corruption indicators, including exception events and heap manipulation in Office processes.
- Correlate document open events with subsequent persistence or credential access activity on the host.
Monitoring Recommendations
- Enable command-line and module-load logging for all Office applications across managed endpoints.
- Forward Office telemetry, Sysmon, and EDR events to a centralized data lake for retroactive hunting.
- Apply Attack Surface Reduction (ASR) rules that block Office child process creation and audit any blocked attempts.
- Track patch deployment status for Microsoft 365 Apps and Office LTSC against asset inventory.
The Singularity Endpoint behavioral AI engine identifies exploitation patterns associated with use-after-free abuse in Office, including anomalous child process creation and in-memory code execution from WINWORD.EXE. Singularity Data Lake supports retroactive hunting across ingested Office and endpoint telemetry using OCSF-normalized events.
How to Mitigate CVE-2025-47957
Immediate Actions Required
- Apply the June 2025 Microsoft security updates to all Microsoft 365 Apps and Office LTSC 2021/2024 installations.
- Inventory endpoints running unpatched Office builds and prioritize remediation for users handling external documents.
- Enable Protected View and Office Application Guard to contain malicious documents originating from the internet or email.
- Restrict macro execution and block legacy file formats at the email gateway where business processes permit.
Patch Information
Microsoft addressed CVE-2025-47957 through the security update referenced in the Microsoft CVE-2025-47957 Advisory. Administrators should validate that Click-to-Run channels and LTSC installations reflect the fixed build numbers documented by Microsoft. Standalone Office deployments require manual update verification through the Microsoft Update Catalog.
Workarounds
- Configure Group Policy to force Protected View for files originating from the internet, unsafe locations, and Outlook attachments.
- Apply Microsoft Defender ASR rule Block all Office applications from creating child processes to disrupt post-exploitation execution.
- Use File Block Policy to disallow opening older Word binary formats from untrusted sources.
- Restrict execution of Office on systems that do not require it through application control policies such as WDAC or AppLocker.
# Example: enforce Protected View and block Office child processes via PowerShell
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\16.0\Word\Security\ProtectedView' \
-Name 'DisableInternetFilesInPV' -Value 0 -Type DWord
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\16.0\Word\Security\ProtectedView' \
-Name 'DisableAttachmentsInPV' -Value 0 -Type DWord
# Enable Microsoft Defender ASR rule: Block Office apps from creating child processes
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A \
-AttackSurfaceReductionRules_Actions Enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
