Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-54904

CVE-2025-54904: Microsoft 365 Apps Use After Free Flaw

CVE-2025-54904 is a use after free vulnerability in Microsoft Office Excel that enables unauthorized attackers to execute code locally. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-54904 Overview

CVE-2025-54904 is a use-after-free vulnerability [CWE-416] in Microsoft Office Excel that enables local code execution. An unauthorized attacker can execute arbitrary code on a target system after a user opens a specially crafted Excel document. The flaw affects multiple Microsoft Office products, including Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021/2024, and Office Online Server. Exploitation requires user interaction but no prior authentication, making weaponized spreadsheets delivered through phishing a practical attack path. Microsoft published the advisory on September 9, 2025.

Critical Impact

Successful exploitation of CVE-2025-54904 allows arbitrary code execution in the context of the current user, with high impact to confidentiality, integrity, and availability.

Affected Products

  • Microsoft 365 Apps (Enterprise, x64 and x86)
  • Microsoft Excel 2016, Microsoft Office 2019
  • Microsoft Office LTSC 2021 and 2024 (Windows and macOS), Microsoft Office Online Server

Discovery Timeline

  • 2025-09-09 - CVE-2025-54904 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-54904

Vulnerability Analysis

The vulnerability is a use-after-free condition in Microsoft Excel's document parsing logic. Excel references a heap object after it has been freed, allowing an attacker to influence the contents of the freed memory before reuse. When the dangling pointer is dereferenced, attacker-controlled data drives program execution flow. The result is arbitrary code execution within the security context of the user opening the file.

Exploitation is local because the malicious payload arrives as a file the user must open. Common delivery channels include phishing emails with attached workbooks, malicious links to spreadsheets, and untrusted file shares. Protected View can blunt the attack, but users frequently click "Enable Editing" on documents that appear legitimate.

Root Cause

The root cause is improper object lifetime management within Excel's handling of document structures. A code path frees an internal object while another code path retains a reference to it. Parsing crafted records in the spreadsheet triggers the stale reference, enabling memory corruption that an attacker can groom for code execution.

Attack Vector

An attacker crafts a malicious Excel workbook and delivers it to the target. When the user opens the file and the vulnerable code path runs, the freed object is reaccessed and the attacker's heap layout determines what executes. No network access or elevated privileges are required, but user interaction is mandatory. See the Microsoft CVE-2025-54904 Advisory for vendor-confirmed technical details.

Detection Methods for CVE-2025-54904

Indicators of Compromise

  • Excel processes (EXCEL.EXE) spawning unusual child processes such as cmd.exe, powershell.exe, wscript.exe, rundll32.exe, or mshta.exe.
  • Outbound network connections initiated by EXCEL.EXE to untrusted hosts shortly after opening a document.
  • Office binary writing executables, scripts, or DLLs to user-writable paths like %APPDATA%, %TEMP%, or %PUBLIC%.
  • Crash dumps or Watson telemetry showing access violations within Excel modules after opening a specific workbook.

Detection Strategies

  • Hunt for parent-child process anomalies where Microsoft Office applications spawn scripting or LOLBin processes.
  • Inspect inbound email attachments and URL deliveries for .xls, .xlsx, .xlsm, and .xlsb files originating from unverified senders.
  • Correlate Excel process telemetry with subsequent persistence indicators such as new Run keys, scheduled tasks, or service creation.

Monitoring Recommendations

  • Enable and forward Microsoft Defender, EDR, and Sysmon process and file telemetry to a centralized analytics pipeline.
  • Monitor for execution of Office documents from internet-zone or email-origin paths flagged by Mark-of-the-Web.
  • Alert on disabled Protected View or AMSI bypass attempts within Office sessions.

How to Mitigate CVE-2025-54904

Immediate Actions Required

  • Apply Microsoft's September 2025 security update for all affected Office and Microsoft 365 Apps channels referenced in the Microsoft advisory.
  • Inventory endpoints running Excel 2016, Office 2019, Office LTSC 2021/2024, and Office Online Server, and prioritize patching for users handling external documents.
  • Reinforce phishing awareness training to deter users from disabling Protected View on untrusted workbooks.

Patch Information

Microsoft released fixes through its standard Office update channels. Click-to-Run installations of Microsoft 365 Apps update automatically once the latest build is available, while MSI-based Office 2016/2019 and LTSC 2021/2024 require deployment of the corresponding security update. Office Online Server administrators should apply the server-side cumulative update referenced in the vendor advisory.

Workarounds

  • Keep Protected View and Office Application Guard enabled for documents originating from the internet or email.
  • Block macros and ActiveX in files from the internet using Group Policy where business requirements permit.
  • Use Attack Surface Reduction rules to prevent Office applications from creating child processes and writing executable content.
bash
# Example PowerShell to enable Defender ASR rules blocking Office child processes and executable creation
Set-MpPreference -AttackSurfaceReductionRules_Ids `
  D4F940AB-401B-4EFC-AADC-AD5F3C50688A, `
  3B576869-A4EC-4529-8536-B80A7769E899 `
  -AttackSurfaceReductionRules_Actions Enabled, Enabled

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.