Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-54908

CVE-2025-54908: Microsoft 365 Apps Use After Free Flaw

CVE-2025-54908 is a use after free vulnerability in Microsoft Office PowerPoint that enables attackers to execute arbitrary code locally. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2025-54908 Overview

CVE-2025-54908 is a use-after-free vulnerability [CWE-416] in Microsoft Office PowerPoint that allows an unauthorized attacker to execute code locally. The flaw affects multiple Microsoft Office product lines, including Microsoft 365 Apps, Office 2019, Office Long Term Servicing Channel (LTSC) 2021 and 2024, and PowerPoint 2016. Successful exploitation requires user interaction, typically by opening a crafted PowerPoint document. Microsoft has issued a security advisory and patches through the standard Microsoft Update channels.

Critical Impact

Successful exploitation results in arbitrary code execution in the context of the current user, enabling attackers to install programs, modify data, or create accounts with the victim's privileges.

Affected Products

  • Microsoft 365 Apps (Enterprise, x86 and x64)
  • Microsoft Office 2019 (x86 and x64)
  • Microsoft Office LTSC 2021 and 2024 (x86 and x64)
  • Microsoft PowerPoint 2016

Discovery Timeline

  • 2025-09-09 - CVE-2025-54908 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-54908

Vulnerability Analysis

The vulnerability is a use-after-free condition [CWE-416] in Microsoft Office PowerPoint. Use-after-free flaws occur when a program continues to reference memory after it has been freed, allowing an attacker to manipulate the freed allocation and influence subsequent operations on that memory. In PowerPoint, parsing of malformed presentation file structures can trigger this dangling pointer condition during document load or rendering.

When the freed object is reallocated with attacker-controlled data, the application may dereference function pointers or virtual table entries that the attacker now controls. This redirects execution flow into attacker-supplied code. The attack vector is local and requires user interaction, meaning the victim must open a crafted PowerPoint file delivered through email, web download, or shared storage.

Root Cause

The root cause is improper memory lifecycle management within PowerPoint's document processing code. A specific code path frees a heap object but retains a reference to it, then later operates on that reference without re-validating the underlying allocation. Crafted PowerPoint content forces the vulnerable code path during parsing.

Attack Vector

An attacker delivers a malicious .pptx or .ppt file to a target user through phishing, malicious websites, or compromised file shares. When the user opens the file in a vulnerable version of PowerPoint, the parser triggers the use-after-free condition. Code execution occurs in the security context of the logged-in user. Refer to the Microsoft CVE-2025-54908 Advisory for vendor-supplied technical details.

Detection Methods for CVE-2025-54908

Indicators of Compromise

  • Unexpected child processes spawned from POWERPNT.EXE, such as cmd.exe, powershell.exe, wscript.exe, or rundll32.exe.
  • PowerPoint files arriving from external sources with unusually large or malformed object structures, particularly through email attachments or downloads.
  • Crashes or abnormal exits of POWERPNT.EXE followed by suspicious process or network activity on the same host.
  • Newly written executables or scripts in user-writable directories (e.g., %TEMP%, %APPDATA%) shortly after PowerPoint file open events.

Detection Strategies

  • Monitor process lineage for Office applications and alert on PowerPoint spawning shell, scripting, or LOLBin processes.
  • Correlate Office application crash events (Windows Event ID 1000) with subsequent process creation and network connections.
  • Inspect inbound PowerPoint attachments at the email gateway using sandbox detonation to identify exploit attempts.
  • Apply behavioral detection rules that flag suspicious memory access patterns and shellcode execution from Office processes.

Monitoring Recommendations

  • Enable Microsoft Defender Attack Surface Reduction (ASR) rules that block Office applications from creating child processes and from injecting code into other processes.
  • Ingest Sysmon process creation, image load, and file creation events from endpoints running Office into a centralized SIEM for correlation.
  • Track patch deployment status across Microsoft 365 Apps, Office 2019, and Office LTSC 2021/2024 installations to confirm remediation coverage.

How to Mitigate CVE-2025-54908

Immediate Actions Required

  • Apply the Microsoft security updates referenced in the Microsoft CVE-2025-54908 Advisory to all affected Office installations.
  • Verify that Microsoft 365 Apps clients are on a current update channel and have received the latest monthly security update.
  • Prioritize patching for users who handle externally sourced documents, including finance, HR, and executive staff.
  • Reinforce user awareness around opening PowerPoint files from untrusted senders.

Patch Information

Microsoft has released fixes through the standard Microsoft Update and Office Click-to-Run distribution channels. Administrators should consult the Microsoft CVE-2025-54908 Advisory for specific build numbers and KB identifiers covering Microsoft 365 Apps, Office 2019, Office LTSC 2021, Office LTSC 2024, and PowerPoint 2016.

Workarounds

  • Configure Protected View and Office Application Guard so that documents from the internet and email open in a sandboxed container by default.
  • Block macros and ActiveX content in files originating from the internet via Group Policy on Office applications.
  • Use email gateway controls to strip or quarantine PowerPoint attachments from untrusted external senders until patching is complete.
  • Apply Microsoft Defender ASR rule Block all Office applications from creating child processes to limit post-exploitation activity.
bash
# Example: Enable ASR rule to block Office child process creation (PowerShell, run as administrator)
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
                 -AttackSurfaceReductionRules_Actions Enabled

# Verify the rule is active
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne