CVE-2025-54905 Overview
CVE-2025-54905 is an untrusted pointer dereference vulnerability in Microsoft Office Word that enables local information disclosure. An attacker who convinces a user to open a crafted Office document can trigger the flaw, leveraging an attacker-controlled pointer value processed by the application. The vulnerability is tracked under CWE-822: Untrusted Pointer Dereference and affects multiple Microsoft Office and SharePoint products. Microsoft published the advisory on September 9, 2025. Successful exploitation can expose sensitive memory content and disrupt application availability.
Critical Impact
A successful attack discloses sensitive memory contents from the Word process and can crash the application, requiring user interaction to open a malicious document.
Affected Products
- Microsoft 365 Apps (Enterprise, x64 and x86)
- Microsoft Office 2019, Office LTSC 2021, and Office LTSC 2024 (including macOS builds)
- Microsoft Word 2016, SharePoint Enterprise Server 2016, and SharePoint Server 2019
Discovery Timeline
- 2025-09-09 - CVE-2025-54905 published to NVD
- 2025-09-12 - Last updated in NVD database
Technical Details for CVE-2025-54905
Vulnerability Analysis
The flaw resides in Word's handling of document structures that contain pointer values consumed by the application without proper validation. When Word parses a crafted document, the code dereferences a pointer whose value is influenced by attacker-supplied content. This results in reads from attacker-influenced memory regions, leading to information disclosure of process memory and potential application termination. The issue is classified under CWE-822, which covers cases where code obtains a pointer from untrusted input and uses it without validation.
Root Cause
The root cause is insufficient validation of pointer values parsed from document data structures. Microsoft's advisory categorizes the weakness as an untrusted pointer dereference, indicating that internal data objects in Word accept values from the document that are subsequently used as memory references. Without bounds checking or origin verification, the parser follows these references, accessing memory outside the intended object scope.
Attack Vector
Exploitation requires local user interaction. The attacker delivers a malicious .doc, .docx, .rtf, or related Office document to the victim through email, web download, or shared storage. When the user opens the file in Word, or previews it through SharePoint or Office on the web through affected server components, the document parser triggers the untrusted dereference. No network access or prior authentication is required, but the user must open the file. The attack discloses memory contents that may include other document data, credentials, or address layout information useful for chaining with other vulnerabilities.
No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.11%. See the Microsoft Security Update Guide for technical details.
Detection Methods for CVE-2025-54905
Indicators of Compromise
- Unexpected Word process crashes (WINWORD.EXE) coinciding with the opening of externally sourced documents.
- Office documents arriving through email or download with embedded objects, unusual OLE streams, or malformed structure records.
- Word Error Reporting (WER) entries referencing access violations during document parsing.
Detection Strategies
- Monitor endpoint telemetry for WINWORD.EXE faulting modules and abnormal exits triggered shortly after document open events.
- Inspect mail gateways and web proxies for inbound Office documents from untrusted senders, applying sandbox detonation to identify malicious payloads.
- Correlate Office process activity with file-write events to user profile and temp directories that may indicate staged exploitation artifacts.
Monitoring Recommendations
- Enable Microsoft Defender Attack Surface Reduction rules covering Office child process creation and Win32 API calls from Office macros.
- Forward Office telemetry and Windows Application event logs to a central SIEM for correlation with email and proxy logs.
- Track patch compliance across all endpoints running affected Office and SharePoint versions to identify unpatched hosts.
How to Mitigate CVE-2025-54905
Immediate Actions Required
- Apply the September 2025 Microsoft security updates that address CVE-2025-54905 across all affected Office, Microsoft 365 Apps, and SharePoint deployments.
- Prioritize patching on systems where users routinely open documents from external sources, including executive workstations and shared SharePoint servers.
- Educate users on the risk of opening unexpected Office attachments and enable Protected View for files originating from the internet.
Patch Information
Microsoft has released fixes through the standard Office and Microsoft 365 update channels. Administrators should consult the Microsoft Security Update Guide for CVE-2025-54905 to identify the specific KB articles and build numbers required for each affected SKU, including SharePoint Server 2016 and 2019 cumulative updates.
Workarounds
- Enforce Protected View and Office File Block policies to require manual review of documents from the internet and untrusted locations.
- Block or quarantine inbound Office documents from external senders at the mail gateway pending patch deployment.
- Disable preview handlers for Office formats in Windows Explorer and SharePoint where preview functionality is not required.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
