CVE-2025-49698: Microsoft 365 Apps Use After Free Flaw

CVE-2025-49698 Overview

CVE-2025-49698 is a use-after-free vulnerability [CWE-416] in Microsoft Office Word that allows an unauthorized attacker to execute code locally. The flaw affects Microsoft 365 Apps, Office 2019, Office Long Term Servicing Channel 2021 and 2024, and Word 2016 across x64, x86, and macOS builds. Successful exploitation requires user interaction, typically by opening a crafted Word document. An attacker who triggers the dangling pointer condition can gain code execution in the context of the current user.

Critical Impact
Attackers can achieve arbitrary code execution on the local system through a malicious Word document, compromising confidentiality, integrity, and availability.

Affected Products

Microsoft 365 Apps (Enterprise, x64 and x86)
Microsoft Office 2019 and Office Long Term Servicing Channel 2021/2024 (Windows and macOS)
Microsoft Word 2016 (x64 and x86)

Discovery Timeline

2025-07-08 - CVE-2025-49698 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-49698

Vulnerability Analysis

The vulnerability is a use-after-free condition [CWE-416] in Microsoft Office Word's document parsing logic. Word continues to reference an object in memory after that object has been freed. When the attacker controls the contents written into the reused memory region, the dangling pointer can be leveraged to redirect execution flow.

The attack vector is local and requires user interaction. A victim must open a specially crafted .doc or .docx file delivered via email, file share, or web download. Once opened, the malformed document triggers the object lifecycle bug during parsing or rendering, producing arbitrary code execution in the user's security context.

The EPSS probability is 0.513% with a 39.6 percentile, and there is no confirmed in-the-wild exploitation or CISA KEV listing at this time.

Root Cause

The root cause is improper management of object lifetimes during Word document processing. A pointer to a freed structure is retained and later dereferenced. Attackers shape the heap so the reclaimed allocation contains attacker-controlled data, converting the use-after-free into a controlled write or controlled call primitive.

Attack Vector

Exploitation requires the victim to open a crafted Word document. The file is typically delivered through phishing, malicious attachments, or compromised file shares. Because privileges are not required prior to exploitation, the attacker only needs the user to interact with the document. Execution occurs with the privileges of the user running Word, which is often a standard interactive user account on enterprise workstations.

No verified proof-of-concept code is publicly available for CVE-2025-49698.
Refer to the Microsoft Security Response Center advisory for technical details.

Detection Methods for CVE-2025-49698

Indicators of Compromise

Microsoft Word (winword.exe) spawning unexpected child processes such as cmd.exe, powershell.exe, wscript.exe, or rundll32.exe.
Word processes making outbound network connections shortly after opening a document from email or an internet location.
Crash dumps or Windows Error Reporting events referencing winword.exe and access violations in document parsing modules.
Office documents arriving from external senders containing embedded objects, unusual OLE streams, or Mark-of-the-Web bypass attempts.

Detection Strategies

Hunt for parent-child process relationships where winword.exe launches scripting interpreters or LOLBins.
Monitor for memory access violations and exception events tied to Office binaries on endpoints.
Inspect inbound email attachments and gateway scans for malformed Word documents and macro-laden files.
Correlate document open events with subsequent file writes to %TEMP%, %APPDATA%, or Startup folders.

Monitoring Recommendations

Enable Microsoft Defender Attack Surface Reduction rules that block Office applications from creating child processes.
Forward Office telemetry, Sysmon process creation events (Event ID 1), and image load events to a centralized SIEM for analysis.
Apply behavioral analytics that flag deviations from baseline Office process trees across managed endpoints.

How to Mitigate CVE-2025-49698

Immediate Actions Required

Apply the security updates referenced in the Microsoft Security Update CVE-2025-49698 advisory across all affected Office and Microsoft 365 Apps installations.
Prioritize patching workstations used by high-risk roles such as executives, finance, HR, and IT administrators.
Verify update deployment status through configuration management tooling and validate Office build numbers post-deployment.

Patch Information

Microsoft has released security updates addressing CVE-2025-49698 for Microsoft 365 Apps, Office 2019, Office LTSC 2021, Office LTSC 2024, and Word 2016. Refer to the Microsoft Security Update CVE-2025-49698 entry for specific build numbers and channel-specific update guidance, including macOS variants of Office LTSC.

Workarounds

Open untrusted Word documents in Protected View and keep Protected View enabled for files originating from the internet, Outlook attachments, and unsafe locations.
Block or strip Office document attachments at the email gateway when senders are external and policies allow.
Enforce Mark-of-the-Web on downloaded files and disable legacy file format support where compatible.
Restrict execution of macros from documents sourced from the internet using Group Policy.

bash

# Example: Enforce Protected View and block macros from the internet via Group Policy registry keys
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableInternetFilesInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableAttachmentsInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security" /v BlockContentExecutionFromInternet /t REG_DWORD /d 1 /f