Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-53761

CVE-2025-53761: Microsoft 365 Apps Use-After-Free Flaw

CVE-2025-53761 is a use-after-free vulnerability in Microsoft Office PowerPoint that enables unauthorized attackers to execute code locally. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-53761 Overview

CVE-2025-53761 is a use-after-free vulnerability in Microsoft Office PowerPoint that allows an unauthorized local attacker to execute arbitrary code. The flaw, tracked under CWE-416, affects multiple supported Microsoft Office configurations including Microsoft 365 Apps, Office 2019, the Office Long Term Servicing Channel 2021 and 2024, and PowerPoint 2016. Exploitation requires user interaction, typically by opening a malicious presentation file. Successful exploitation can lead to full compromise of confidentiality, integrity, and availability on the affected host.

Critical Impact

An attacker who convinces a user to open a crafted PowerPoint file can execute code in the context of the current user, enabling malware deployment, credential theft, and lateral movement.

Affected Products

  • Microsoft 365 Apps for Enterprise (x86 and x64)
  • Microsoft Office 2019 (x86 and x64)
  • Microsoft Office Long Term Servicing Channel 2021 and 2024
  • Microsoft PowerPoint 2016

Discovery Timeline

  • 2025-08-12 - CVE-2025-53761 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-53761

Vulnerability Analysis

The vulnerability is a use-after-free condition in Microsoft Office PowerPoint, classified as [CWE-416]. PowerPoint references a memory object after that object has been freed, allowing an attacker to influence the contents of the dangling allocation. When the freed object is reused, the application dereferences attacker-controlled data, leading to arbitrary code execution in the context of the user opening the file.

The attack is local and requires the victim to open a specially crafted presentation. The Preview Pane is a common trigger surface for similar Office memory corruption flaws, increasing the practical exposure. The current EPSS probability sits at 0.485%, indicating no known broad exploitation at this time, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

Root Cause

The defect stems from improper object lifetime management within PowerPoint's document parsing or rendering code paths. A pointer to a heap-allocated object continues to be used after the object has been released, producing a classic use-after-free state that an attacker can groom into a controlled write or virtual call.

Attack Vector

Exploitation requires a user to open a malicious .pptx, .ppt, or related Office file delivered through email, file shares, or web downloads. No prior authentication or elevated privileges are required on the target. Code executes with the privileges of the user running PowerPoint, which is sufficient for persistence, data theft, and follow-on tooling.

No public proof-of-concept code is referenced in the advisory. The vulnerability mechanism is described in prose only; consult the Microsoft CVE-2025-53761 Advisory for vendor-supplied technical details.

Detection Methods for CVE-2025-53761

Indicators of Compromise

  • Unexpected child processes spawned by POWERPNT.EXE, such as cmd.exe, powershell.exe, wscript.exe, mshta.exe, or rundll32.exe.
  • PowerPoint process crashes (Application Error events with faulting module in Office binaries) immediately preceding suspicious process activity.
  • Outbound network connections initiated by POWERPNT.EXE to untrusted or newly observed domains.
  • Creation of executable files or scripts in %TEMP%, %APPDATA%, or Office cache directories shortly after opening a presentation.

Detection Strategies

  • Hunt for parent-child process relationships where POWERPNT.EXE launches script interpreters or living-off-the-land binaries.
  • Alert on Office applications writing to autorun locations including HKCU\Software\Microsoft\Windows\CurrentVersion\Run and Startup folders.
  • Use file-content inspection on inbound .pptx and .ppt files to flag embedded OLE objects, ActiveX controls, or unusually large or malformed structures.
  • Correlate Windows Error Reporting crash events in PowerPoint with subsequent process or network anomalies on the same endpoint.

Monitoring Recommendations

  • Forward Sysmon Event IDs 1 (process creation), 3 (network), 7 (image load), and 11 (file create) from Office hosts to your SIEM for behavioral analytics.
  • Monitor email gateway logs for presentations originating from external senders and inspect attachments in a sandbox before delivery.
  • Track Office patch deployment status across the fleet to identify endpoints that remain exposed.

How to Mitigate CVE-2025-53761

Immediate Actions Required

  • Apply the latest Microsoft security updates for all affected Office channels as identified in the Microsoft CVE-2025-53761 Advisory.
  • Inventory endpoints for vulnerable builds of Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, and PowerPoint 2016 and prioritize patching.
  • Block or quarantine inbound PowerPoint attachments from untrusted senders at the email gateway until patches are deployed.
  • Reinforce user awareness training on opening presentation files received from unknown or unexpected sources.

Patch Information

Microsoft has released security updates addressing CVE-2025-53761 through the Microsoft Update channel. Refer to the Microsoft Security Response Center advisory for the specific KB articles and build numbers applicable to each affected product and architecture. Microsoft 365 Apps receives updates through Click-to-Run, while perpetual Office and LTSC editions require corresponding MSI or C2R cumulative updates.

Workarounds

  • Enable Protected View and Office Application Guard to constrain code execution from untrusted documents.
  • Configure Attack Surface Reduction rules to block Office applications from creating child processes and from injecting code into other processes.
  • Disable the Outlook Preview Pane and avoid previewing presentations from untrusted senders to reduce the trigger surface.
  • Apply Group Policy to require macros and ActiveX content to be disabled by default in PowerPoint.
bash
# Enable Microsoft Defender ASR rule: Block Office applications from creating child processes
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
                 -AttackSurfaceReductionRules_Actions Enabled

# Enable ASR rule: Block Office applications from injecting code into other processes
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 `
                 -AttackSurfaceReductionRules_Actions Enabled

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne