CVE-2025-59238 Overview
CVE-2025-59238 is a use-after-free vulnerability [CWE-416] in Microsoft Office PowerPoint that allows an unauthorized attacker to execute code locally. The flaw affects multiple Microsoft Office distributions, including Microsoft 365 Apps, Office 2019, Office Long Term Servicing Channel 2021 and 2024, and PowerPoint 2016. Exploitation requires the targeted user to open a crafted PowerPoint file, making weaponized documents delivered through phishing or shared file repositories the most likely delivery method. Microsoft published the advisory on October 14, 2025.
Critical Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the current user, resulting in full compromise of confidentiality, integrity, and availability on the affected host.
Affected Products
- Microsoft 365 Apps (Enterprise, x86 and x64)
- Microsoft Office 2019 (x86 and x64)
- Microsoft Office Long Term Servicing Channel 2021 and 2024 (x86 and x64)
- Microsoft PowerPoint 2016
Discovery Timeline
- 2025-10-14 - CVE-2025-59238 published to NVD
- 2025-10-14 - Microsoft releases security advisory and patch
- 2025-10-16 - Last updated in NVD database
Technical Details for CVE-2025-59238
Vulnerability Analysis
The vulnerability is a use-after-free condition within Microsoft Office PowerPoint's document processing logic. A use-after-free occurs when application code continues to reference a memory region after it has been released back to the allocator. When PowerPoint parses a crafted presentation file, the application frees an internal object but retains a dangling pointer that is later dereferenced during further processing.
An attacker who controls the contents of the freed memory region can place a counterfeit object at that address. When PowerPoint subsequently uses the dangling pointer, control flow can be redirected to attacker-supplied data. This typically leads to arbitrary code execution in the security context of the user running PowerPoint.
The attack vector is local and requires user interaction. A victim must open a malicious .ppt, .pptx, or related Office file. Protected View provides a partial barrier, but users who click "Enable Editing" on attacker-controlled documents remain exposed.
Root Cause
The root cause is improper lifetime management of an internal PowerPoint object [CWE-416]. The application releases the object during document parsing without invalidating all references, leaving a stale pointer accessible to later code paths. Manipulating object reuse via crafted file structures enables deterministic exploitation.
Attack Vector
Exploitation is local and user-assisted. An attacker delivers a malicious PowerPoint file through email attachments, instant messaging, web downloads, or shared cloud storage. When the victim opens the file in a vulnerable Office build, the parser triggers the use-after-free during deserialization of the embedded content. No elevated privileges are required to launch the attack, and the attacker inherits the privileges of the targeted user. The EPSS probability is 0.063% as of the latest scoring, but the broad install base of Office raises practical risk significantly.
No public proof-of-concept code is currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Microsoft CVE-2025-59238 Advisory for full technical details.
Detection Methods for CVE-2025-59238
Indicators of Compromise
- Unexpected child processes spawned by POWERPNT.EXE, such as cmd.exe, powershell.exe, wscript.exe, cscript.exe, rundll32.exe, or regsvr32.exe.
- Office application crashes or repeated faulting events referencing PowerPoint modules in the Windows Application event log.
- Outbound network connections initiated by POWERPNT.EXE to previously unseen domains or IP addresses immediately after a document opens.
- New files written to %APPDATA%, %TEMP%, or startup folders by PowerPoint shortly after document parsing.
Detection Strategies
- Hunt for PowerPoint process trees that deviate from baseline behavior, particularly executions of scripting interpreters or LOLBins as descendants of POWERPNT.EXE.
- Apply YARA and content rules against inbound email attachments and file shares to flag PowerPoint documents containing anomalous OLE structures or embedded ActiveX controls.
- Correlate Office telemetry with endpoint memory protection events such as Data Execution Prevention (DEP) violations and Control Flow Guard (CFG) faults.
Monitoring Recommendations
- Enable Microsoft Defender Attack Surface Reduction (ASR) rules that block Office applications from creating child processes and from injecting code into other processes.
- Forward Sysmon process creation, image load, and file write events from endpoints running Office to a central SIEM for retroactive hunting.
- Track patch deployment status of Microsoft 365 Apps and standalone Office installations through configuration management tooling and prioritize unpatched hosts for monitoring.
How to Mitigate CVE-2025-59238
Immediate Actions Required
- Apply the October 2025 Microsoft security updates for all affected Office and Microsoft 365 Apps channels without delay.
- Inventory endpoints running PowerPoint 2016, Office 2019, and Office LTSC 2021/2024 and confirm patch installation through centralized management.
- Enforce Protected View and Block Macros from the Internet through Group Policy for all Office applications.
- Restrict execution of PowerPoint files received from external sources via mail gateway policies and conditional access rules.
Patch Information
Microsoft has released security updates for all affected products. Administrators should consult the Microsoft CVE-2025-59238 Advisory for the specific KB articles, build numbers, and update channels that apply to their environment. Click-to-Run installations of Microsoft 365 Apps receive the fix automatically once update channels are configured to current builds.
Workarounds
- Where patching is delayed, enforce Protected View for files originating from the internet, email attachments, and unsafe locations through Group Policy.
- Configure Microsoft Defender ASR rule "Block all Office applications from creating child processes" (D4F940AB-401B-4EFC-AADC-AD5F3C50688A) in block mode.
- Deliver user awareness guidance instructing recipients not to enable editing on unsolicited PowerPoint files.
- Use Office File Block policies to restrict opening of legacy PowerPoint binary formats where they are not required for business operations.
# Example Group Policy registry settings to enforce Protected View for PowerPoint
reg add "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView" /v DisableInternetFilesInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView" /v DisableAttachmentsInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView" /v DisableUnsafeLocationsInPV /t REG_DWORD /d 0 /f
# Enable ASR rule: Block all Office applications from creating child processes
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
