CVE-2025-54900 Overview
CVE-2025-54900 is a heap-based buffer overflow [CWE-122] in Microsoft Office Excel that enables local code execution. An attacker crafts a malicious Excel document and convinces a user to open it, triggering memory corruption in the Excel process. Successful exploitation runs arbitrary code in the context of the current user.
The vulnerability affects multiple Office channels, including Microsoft 365 Apps, Excel 2016, Office 2019, and the Office Long Term Servicing Channel (LTSC) 2021 and 2024 on Windows and macOS. Office Online Server is also impacted. Microsoft published the advisory on September 9, 2025.
Critical Impact
A single weaponized spreadsheet delivered via phishing or shared storage can yield arbitrary code execution with the victim's privileges across Windows and macOS Office deployments.
Affected Products
- Microsoft 365 Apps (Enterprise, x64 and x86)
- Microsoft Excel 2016, Microsoft Office 2019, Office LTSC 2021 and 2024 (Windows x64/x86 and macOS)
- Microsoft Office Online Server
Discovery Timeline
- 2025-09-09 - CVE-2025-54900 published to the National Vulnerability Database (NVD)
- 2025-09-09 - Microsoft publishes the Microsoft CVE-2025-54900 Advisory
- 2025-09-12 - Last updated in NVD
Technical Details for CVE-2025-54900
Vulnerability Analysis
The flaw is a heap-based buffer overflow inside Microsoft Excel's document parsing logic. When Excel processes a specially crafted spreadsheet, an undersized heap allocation receives more bytes than its boundary permits. The overflow corrupts adjacent heap metadata or object pointers used by Excel during file rendering.
Exploitation requires the victim to open the file, which classifies the attack vector as local with user interaction. Because Excel runs in the user's session, successful exploitation grants the attacker the same privileges as the logged-on user. On systems where users hold administrative rights, the impact extends to full host compromise.
Microsoft confirms impact across confidentiality, integrity, and availability. The EPSS probability for near-term exploitation is 0.272% (50th percentile) as of June 2026, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog at publication time.
Root Cause
The root cause is improper validation of size fields within a structured Excel record. Excel allocates a heap buffer based on attacker-influenced metadata, then copies a larger payload into that buffer. The mismatch between declared and actual sizes is the classic [CWE-122] heap overflow pattern.
Attack Vector
A threat actor delivers a malicious .xls, .xlsx, or related Office file through email, instant messaging, or a compromised file share. When the user opens the document in a vulnerable Excel build, the parser triggers the overflow. The Preview Pane can also serve as an attack surface for certain Office file formats, reducing the user interaction requirement.
No verified public proof-of-concept exists at the time of writing. Refer to the Microsoft CVE-2025-54900 Advisory for vendor technical details.
Detection Methods for CVE-2025-54900
Indicators of Compromise
- Unexpected EXCEL.EXE child processes such as cmd.exe, powershell.exe, wscript.exe, mshta.exe, or rundll32.exe
- Excel crashes or Windows Error Reporting (WER) entries referencing heap corruption in EXCEL.EXE
- Inbound Excel documents from external senders containing embedded objects, macros, or unusual binary records
- Outbound network connections initiated directly by EXCEL.EXE to unfamiliar domains shortly after document open
Detection Strategies
- Hunt for process lineage anomalies where Office binaries spawn scripting interpreters or LOLBins
- Inspect Office file telemetry for malformed records, oversized streams, or unusual OLE structures
- Correlate user-opened email attachments with subsequent endpoint behavioral alerts within a short time window
Monitoring Recommendations
- Enable and forward Microsoft Defender Antivirus, AMSI, and Sysmon logs to a centralized SIEM for Office process telemetry
- Alert on Excel writing executables, DLLs, or scripts to %TEMP%, %APPDATA%, or user profile directories
- Track WER and application crash events on EXCEL.EXE as early indicators of exploitation attempts
How to Mitigate CVE-2025-54900
Immediate Actions Required
- Apply the September 2025 Microsoft Office security updates referenced in the Microsoft CVE-2025-54900 Advisory across all Office channels in scope
- Validate that Microsoft 365 Apps clients are on a supported update channel and have received the latest cumulative update
- Patch Office Online Server and macOS Office LTSC builds, which are frequently missed in Windows-focused patch cycles
Patch Information
Microsoft has released security updates for Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021 and 2024 (Windows and macOS), and Office Online Server. Administrators should consult the Microsoft CVE-2025-54900 Advisory for build numbers and KB identifiers that map to each channel.
Workarounds
- Enforce Protected View and Office Application Guard for documents sourced from the internet or email
- Block macro execution from internet-sourced Office files using the documented Group Policy or Intune setting
- Use Attack Surface Reduction (ASR) rules to prevent Office applications from creating child processes
- Strip or sandbox inbound Excel attachments at the mail gateway pending full patch deployment
# Example: Enable the ASR rule that blocks Office apps from creating child processes
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A \
-AttackSurfaceReductionRules_Actions Enabled
# Verify the rule state
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
