CVE-2025-59234: Microsoft 365 Apps Use After Free Flaw

CVE-2025-59234 Overview

CVE-2025-59234 is a use-after-free vulnerability [CWE-416] in Microsoft Office that allows an unauthorized attacker to execute arbitrary code locally. The flaw affects multiple Office product lines, including Microsoft 365 Apps, Microsoft 365 Copilot, Microsoft Office 2016/2019, and Office Long Term Servicing Channel 2021/2024. Exploitation requires user interaction, typically through opening a maliciously crafted Office document. A successful attack yields code execution in the context of the current user, with full impact on confidentiality, integrity, and availability. Microsoft published the advisory on October 14, 2025, and addressed the issue through its security update channel.

Critical Impact

A crafted Office document can trigger use-after-free memory corruption, leading to arbitrary code execution under the current user's privileges on Windows and macOS Office installations.

Affected Products

• Microsoft 365 Apps (Enterprise, x64 and x86)
• Microsoft 365 Copilot (Android)
• Microsoft Office 2016 and Office 2019 (x64 and x86)
• Microsoft Office Long Term Servicing Channel 2021 and 2024 (x64, x86, and macOS)

Discovery Timeline

• 2025-10-14 - CVE-2025-59234 published to NVD
• 2025-10-14 - Microsoft releases security update guide entry for CVE-2025-59234
• 2026-05-22 - Last updated in NVD database

Technical Details for CVE-2025-59234

Vulnerability Analysis

The vulnerability is a use-after-free condition within Microsoft Office's document processing code. Use-after-free flaws occur when a program continues to reference memory after it has been freed, allowing an attacker to manipulate the contents of that memory region before reuse. In Office, this class of bug typically arises during parsing of complex object structures inside document formats such as DOCX, XLSX, or RTF.

An attacker crafts a malicious document that triggers the freeing of an internal object while another code path still holds a dangling pointer to it. By controlling subsequent heap allocations, the attacker can place attacker-controlled data where the freed object resided. When the dangling pointer is dereferenced, the process operates on attacker-controlled memory, leading to control over instruction flow.

The resulting code execution runs with the privileges of the user who opened the document. Attackers commonly chain this primitive with sandbox escapes or privilege escalation to expand impact across the host.

Root Cause

The root cause is improper object lifetime management in Office's document handling components, classified under [CWE-416] Use After Free. A reference to a heap object persists after the allocator releases the object, and the application later dereferences that stale pointer during normal processing of document content.

Attack Vector

The attack vector is local and requires user interaction. An attacker delivers a weaponized Office document through email, file share, web download, or collaboration platform. When the victim opens the file in a vulnerable Office build, the parser triggers the use-after-free condition. No elevated privileges or prior authentication on the target system are required from the attacker. Preview pane handling in some Office configurations can lower the interaction barrier further. The vulnerability cannot be exploited remotely without user action, but social engineering reliably satisfies that requirement.

No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-59234

Indicators of Compromise

• Office processes (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE) spawning unexpected child processes such as cmd.exe, powershell.exe, wscript.exe, or rundll32.exe.
• Office applications crashing repeatedly with access violation exceptions when opening specific documents.
• Outbound network connections initiated directly by Office processes to untrusted hosts shortly after document open.
• Creation of executable files or LNK shortcuts in user-writable paths (%APPDATA%, %TEMP%) by an Office process.

Detection Strategies

• Hunt for parent-child process anomalies where an Office binary launches scripting interpreters or living-off-the-land binaries.
• Inspect Office documents arriving via email for embedded objects, unusual OLE streams, and macros that load external content.
• Correlate Windows Error Reporting telemetry for Office crashes against document hashes seen across the fleet.
• Apply YARA rules targeting malformed object structures in OOXML or RTF samples associated with use-after-free exploitation patterns.

Monitoring Recommendations

• Forward Sysmon Event IDs 1 (process create), 7 (image load), and 11 (file create) from endpoints running Office to a central analytics platform.
• Track Office telemetry for AMSI scan results and Defender Application Guard policy violations.
• Monitor mail gateway logs for documents flagged by sandbox detonation with memory corruption indicators.

How to Mitigate CVE-2025-59234

Immediate Actions Required

• Apply the security update referenced in the Microsoft Security Update Guide for CVE-2025-59234 to all affected Office installations.
• Inventory endpoints for vulnerable builds of Microsoft 365 Apps, Office 2016/2019, and Office LTSC 2021/2024, including macOS and Android Copilot clients.
• Block inbound Office documents from untrusted external senders at the mail gateway until patches are deployed.
• Enforce Protected View and Block macros from running in Office files from the internet through Group Policy.

Patch Information

Microsoft has released patches through standard Office update channels. Refer to the Microsoft Security Update Guide CVE-2025-59234 for the exact build numbers per channel (Current, Monthly Enterprise, Semi-Annual, and LTSC). Microsoft 365 Apps clients receive updates automatically when Click-to-Run is enabled; perpetual Office 2016/2019 and LTSC builds require the corresponding monthly security update package.

Workarounds

• Enable Office Protected View and Application Guard for documents originating from the internet and untrusted locations.
• Disable the Outlook preview pane to prevent automatic rendering of document attachments.
• Use Attack Surface Reduction (ASR) rules to block Office applications from creating child processes and from injecting code into other processes.
• Restrict opening of legacy file formats (e.g., RTF, DOC, XLS) using the File Block policy in the Trust Center.

# Example Group Policy registry settings to harden Office against document-borne exploitation
# Block child process creation by Office (ASR rule via PowerShell)
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
                 -AttackSurfaceReductionRules_Actions Enabled

# Enforce Protected View for files originating from the internet
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security\ProtectedView" `
    /v DisableInternetFilesInPV /t REG_DWORD /d 0 /f

# Block macros from the internet
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security" `
    /v BlockContentExecutionFromInternet /t REG_DWORD /d 1 /f