CVE-2025-53734: Microsoft 365 Apps Use-After-Free Flaw

CVE-2025-53734 Overview

CVE-2025-53734 is a use-after-free vulnerability [CWE-416] in Microsoft Office Visio that allows an unauthorized attacker to execute arbitrary code locally. The flaw affects Microsoft 365 Apps, Microsoft Office 2019, and Microsoft Office Long Term Servicing Channel (LTSC) 2021 and 2024. Exploitation requires user interaction, typically opening a crafted Visio document. Successful exploitation grants the attacker the ability to run code in the context of the current user, leading to compromise of confidentiality, integrity, and availability on the affected host.

Critical Impact
A successful exploit allows an attacker to execute arbitrary code on the target system after a user opens a malicious Visio file, potentially leading to full host compromise under the user's privileges.

Affected Products

Microsoft 365 Apps (Enterprise, x64 and x86)
Microsoft Office 2019 (x64 and x86)
Microsoft Office Long Term Servicing Channel 2021 and 2024 (x64 and x86)

Discovery Timeline

2025-08-12 - CVE-2025-53734 published to the National Vulnerability Database (NVD)
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-53734

Vulnerability Analysis

The vulnerability is a use-after-free condition in Microsoft Office Visio document parsing. The Visio component frees a memory object but retains a dangling reference that is later dereferenced during processing of crafted file content. When the freed memory is reallocated with attacker-controlled data, the subsequent dereference can redirect execution flow to attacker-supplied code. Exploitation occurs locally and requires the victim to open a malicious Visio file delivered through email, web download, or shared storage. Code execution runs in the security context of the user opening the file, with no additional privileges required by the attacker prior to exploitation.

Root Cause

The root cause is improper object lifetime management in the Visio file parser, classified as Use After Free [CWE-416]. The application releases a heap object while another code path retains a pointer to that memory. Subsequent operations on the dangling pointer trigger memory corruption that an attacker can shape into a controlled write or virtual function pointer hijack.

Attack Vector

The attack vector is local and requires user interaction. An attacker crafts a malicious Visio document .vsd, .vsdx, or related format and delivers it via phishing, watering-hole sites, or removable media. When the victim opens the file in an affected Office build, the parser triggers the use-after-free condition, enabling arbitrary code execution under the user's account. No authentication is required on the part of the attacker.

No public proof-of-concept or in-the-wild exploitation has been reported. Refer to the Microsoft CVE-2025-53734 Update Guide for vendor technical details.

Detection Methods for CVE-2025-53734

Indicators of Compromise

Unexpected child processes spawned by VISIO.EXE, such as cmd.exe, powershell.exe, wscript.exe, or rundll32.exe.
Visio process crashes with access violation exceptions recorded in Windows Error Reporting (WER) logs.
Visio files arriving from external email senders or untrusted web downloads, particularly those bypassing Protected View.
Outbound network connections originating from VISIO.EXE to unfamiliar domains or IP addresses immediately after document open.

Detection Strategies

Monitor process creation events (Windows Event ID 4688, Sysmon Event ID 1) where the parent process is VISIO.EXE and the child is an interpreter or LOLBin.
Alert on Office applications writing executable content .exe, .dll, .scr to disk, especially in user-writable directories such as %TEMP% or %APPDATA%.
Inspect inbound email attachments with Visio extensions using sandbox detonation prior to delivery.

Monitoring Recommendations

Track Office telemetry for unexpected memory exceptions and module loads inside VISIO.EXE.
Forward endpoint and email gateway logs to a centralized SIEM for correlation across users opening similar attachments.
Enable Microsoft Defender Attack Surface Reduction (ASR) audit logging to identify exploitation attempts before enforcement.

How to Mitigate CVE-2025-53734

Immediate Actions Required

Apply the security updates listed in the Microsoft CVE-2025-53734 Update Guide to all affected Office and Microsoft 365 Apps installations.
Verify that Microsoft 365 Apps clients are receiving updates from the current channel and confirm build versions after deployment.
Block inbound Visio attachments at the email gateway from untrusted senders until patching completes.
Enforce Protected View and Office Application Guard for documents originating from the internet.

Patch Information

Microsoft has released security updates for affected products. Administrators should consult the Microsoft CVE-2025-53734 Update Guide to identify the correct build numbers for Microsoft 365 Apps, Office 2019, and Office LTSC 2021 and 2024, and deploy through Microsoft Update, WSUS, Intune, or Configuration Manager.

Workarounds

Enable Microsoft Defender ASR rules that block child process creation from Office applications.
Configure Office Trust Center to disable opening files from untrusted locations and enforce Protected View for internet, attachment, and unsafe-location files.
Restrict execution of Visio file types through file-type policies on email gateways and web proxies until patches are applied.

bash

# Configuration example: enable ASR rule blocking Office child processes
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled