CVE-2025-49711: Microsoft 365 Apps Use After Free Flaw

CVE-2025-49711 Overview

CVE-2025-49711 is a use-after-free vulnerability [CWE-416] in Microsoft Office Excel that enables local code execution. An attacker who successfully exploits this flaw can run arbitrary code in the context of the current user. Exploitation requires the victim to open a crafted Excel document, which makes phishing and document-delivery campaigns the most likely vectors. Microsoft published the advisory on July 8, 2025, and the issue affects multiple supported Office channels including Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Office Online Server.

Critical Impact

Successful exploitation grants the attacker code execution at the privilege level of the user opening the malicious Excel file, leading to full compromise of confidentiality, integrity, and availability on the host.

Affected Products

• Microsoft 365 Apps (Enterprise, x86 and x64)
• Microsoft Excel 2016, Microsoft Office 2019, Office LTSC 2021, Office LTSC 2024 (including macOS builds)
• Microsoft Office Online Server

Discovery Timeline

• 2025-07-08 - CVE-2025-49711 published to NVD and Microsoft releases security update
• 2025-07-15 - Last updated in NVD database

Technical Details for CVE-2025-49711

Vulnerability Analysis

The vulnerability is a use-after-free condition in Microsoft Excel's document parsing and object handling logic. When Excel processes a specially crafted spreadsheet, it releases a memory object but retains a dangling reference to that memory region. Subsequent operations dereference the freed pointer, allowing an attacker who controls the freed heap region to redirect execution flow.

Because Office applications run with the privileges of the interactive user, exploitation results in arbitrary code execution within that user context. Attackers typically chain this primitive with heap-spraying techniques to place controlled data at the address referenced by the dangling pointer.

The issue carries an EPSS probability of 0.689%, placing it in the 71st percentile for likelihood of observed exploitation activity.

Root Cause

The root cause is improper lifetime management of an internal Excel object [CWE-416]. The application frees a heap-allocated structure while another code path still holds a reference to it. When that reference is reused, the attacker-controlled contents at the reclaimed address are interpreted as a valid object, including virtual function tables or callback pointers.

Attack Vector

The attack vector is local with user interaction required. An attacker delivers a malicious .xlsx, .xls, or related Office document through email, a web download, or a shared file location. When the victim opens the file in a vulnerable Excel build, the parser triggers the use-after-free and executes the embedded payload. No network authentication or elevated privileges are required from the attacker; only the victim's interaction with the document is needed.

Verified public proof-of-concept code is not currently available. See the Microsoft Security Update for CVE-2025-49711 for technical details.

Detection Methods for CVE-2025-49711

Indicators of Compromise

• Excel processes (EXCEL.EXE) spawning unexpected child processes such as cmd.exe, powershell.exe, rundll32.exe, or mshta.exe
• Crashes or anomalous exception events in Excel referencing access violations in heap-allocated objects
• Inbound Office documents from untrusted senders containing embedded objects, OLE links, or external data connections
• Outbound network connections initiated directly by EXCEL.EXE to unfamiliar domains or IP addresses

Detection Strategies

• Hunt for parent-child process relationships where EXCEL.EXE launches scripting engines or LOLBins commonly used for post-exploitation
• Inspect Office telemetry and Windows Event logs for Excel application crashes with exception codes consistent with memory corruption
• Apply YARA and static analysis rules to inbound documents that flag unusual embedded objects, malformed records, or large heap-spray payloads

Monitoring Recommendations

• Enable and forward Microsoft Defender for Office 365 or equivalent attachment-sandboxing telemetry to your SIEM
• Monitor endpoints for new persistence mechanisms, scheduled tasks, or run-key entries created shortly after Excel document opens
• Track file write events from EXCEL.EXE into user profile directories, %TEMP%, and startup folders

How to Mitigate CVE-2025-49711

Immediate Actions Required

• Apply Microsoft's July 2025 security updates for all affected Office channels listed in the advisory
• Inventory Office builds across the estate and prioritize patching for users who routinely process external spreadsheets
• Block or quarantine Excel attachments from external senders at the mail gateway until patching is complete

Patch Information

Microsoft has released security updates addressing CVE-2025-49711 across Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Office Online Server. Refer to the Microsoft Security Update Guide for CVE-2025-49711 for build numbers and deployment guidance. Microsoft 365 Apps customers on the Current Channel will receive the fix through standard click-to-run updates.

Workarounds

• Enable Protected View and Application Guard for Office to isolate documents originating from the internet or email
• Configure the Office Trust Center to block macros and ActiveX controls in documents from untrusted locations
• Restrict the opening of Excel files from email and the web using Attack Surface Reduction (ASR) rules such as blocking Office applications from creating child processes

# Enable ASR rule: Block Office applications from creating child processes
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled

# Enforce Protected View for files originating from the internet
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView' -Name DisableInternetFilesInPV -Value 0