CVE-2025-53730: Microsoft 365 Apps Use-After-Free Flaw

CVE-2025-53730 Overview

CVE-2025-53730 is a use-after-free vulnerability [CWE-416] in Microsoft Office Visio that allows local code execution. An attacker can craft a malicious Visio document that, when opened by a user, triggers memory corruption and executes arbitrary code in the context of the current user. The vulnerability affects Microsoft 365 Apps, Microsoft Office 2019, and Microsoft Office Long Term Servicing Channel (LTSC) 2021 and 2024 on both x64 and x86 architectures. Microsoft published the advisory on August 12, 2025, and the entry was last modified in NVD on August 15, 2025.

Critical Impact

Successful exploitation grants arbitrary code execution with the privileges of the targeted user, enabling malware installation, data theft, and lateral movement from a single opened document.

Affected Products

• Microsoft 365 Apps (Enterprise, x64 and x86)
• Microsoft Office 2019 (x64 and x86)
• Microsoft Office Long Term Servicing Channel 2021 and 2024 (x64 and x86)

Discovery Timeline

• 2025-08-12 - CVE-2025-53730 published to NVD with Microsoft advisory
• 2025-08-15 - Last updated in NVD database

Technical Details for CVE-2025-53730

Vulnerability Analysis

The flaw is a use-after-free condition [CWE-416] within Microsoft Office Visio's document parsing logic. The application frees a memory object while retaining a reference to it, and subsequent operations dereference the dangling pointer. When an attacker controls the contents that influence the freed object's layout, they can place attacker-supplied data into the reclaimed allocation. The dangling reference then operates on attacker-controlled memory, leading to arbitrary code execution in the Visio process.

Exploitation requires user interaction, since the victim must open a malicious file. The attack vector is local because the file must be processed by Visio on the target system, typically delivered via phishing email, web download, or shared network location.

Root Cause

The root cause is improper object lifetime management in Visio's handling of structured document elements. Visio releases a heap object but does not invalidate or null all references that point to it. A subsequent operation reuses the freed pointer, allowing controlled writes or function pointer hijacking against memory the allocator has handed to attacker-controlled data.

Attack Vector

An attacker creates a malformed Visio file (.vsd, .vsdx, .vsdm, or related format) that triggers the freed-object path during parsing or rendering. The attacker delivers the file through email attachments, malicious links, or compromised file shares. When the user opens the document, Visio processes the crafted structures, the use-after-free fires, and the embedded payload runs under the user's account. Microsoft documents the technical fix in the Microsoft Security Response Center advisory for CVE-2025-53730.

No public proof-of-concept exploit is available at the time of publication, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-53730

Indicators of Compromise

• Unexpected child processes spawned by VISIO.EXE, such as cmd.exe, powershell.exe, rundll32.exe, or wscript.exe.
• Visio crash events in the Windows Application event log referencing access violations or heap corruption after opening external documents.
• Outbound network connections initiated by VISIO.EXE to untrusted destinations shortly after a document is opened.
• New files written to %TEMP%, %APPDATA%, or Office startup folders following a Visio session.

Detection Strategies

• Hunt for parent-child process anomalies where VISIO.EXE launches script interpreters or LOLBins associated with payload staging.
• Inspect inbound email and web gateway telemetry for Visio file types delivered from external senders, especially with macros or embedded objects.
• Correlate document-open events with subsequent process creation, file write, and network connection activity for fast triage.

Monitoring Recommendations

• Enable Microsoft Defender Attack Surface Reduction rules that block Office applications from creating child processes and from injecting code into other processes.
• Forward Sysmon process, file, and network events from endpoints running Microsoft Office to a centralized SIEM for retroactive hunting.
• Alert on Visio executions opening files from internet-zone or email-attached locations identified by Mark-of-the-Web.

How to Mitigate CVE-2025-53730

Immediate Actions Required

• Apply the August 2025 Microsoft security updates to all affected Microsoft 365 Apps, Office 2019, and Office LTSC 2021 and 2024 installations.
• Confirm patch deployment status through Microsoft Endpoint Manager, WSUS, or Intune compliance reports.
• Restrict opening of Visio files received from external sources until patching is verified across the fleet.

Patch Information

Microsoft released fixed builds on August 12, 2025. Administrators should consult the Microsoft CVE-2025-53730 update guide for the specific build numbers per channel (Current Channel, Monthly Enterprise Channel, Semi-Annual Enterprise Channel, and LTSC) and apply them through standard Office update mechanisms.

Workarounds

• Configure Office Protected View to remain enabled for files originating from the internet and from email attachments.
• Enforce Office File Block policy to prevent opening of legacy Visio binary formats from untrusted locations.
• Deploy Attack Surface Reduction rule D4F940AB-401B-4EFC-AADC-AD5F3C50688A to block Office applications from creating child processes.
• Train users to validate the source of Visio attachments and report suspicious documents before opening.

# Configuration example: enable ASR rule to block Office child process creation
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
                 -AttackSurfaceReductionRules_Actions Enabled

# Verify Office update channel and current version
reg query "HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /v VersionToReport