Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-60727

CVE-2025-60727: Microsoft 365 Apps RCE Vulnerability

CVE-2025-60727 is a remote code execution flaw in Microsoft 365 Apps caused by an out-of-bounds read in Excel. Attackers can exploit this to execute unauthorized code locally. This article covers technical details.

Published:

CVE-2025-60727 Overview

CVE-2025-60727 is an out-of-bounds read vulnerability [CWE-125] in Microsoft Office Excel that enables local code execution. An attacker can craft a malicious Excel file that, when opened by a victim, triggers the flaw and runs attacker-controlled code in the context of the current user. The vulnerability affects multiple Microsoft Office product lines including Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Office Online Server. Exploitation requires user interaction but no authentication or elevated privileges on the target system.

Critical Impact

Successful exploitation grants the attacker the ability to execute arbitrary code with the privileges of the user who opens a malicious Excel document, leading to full compromise of confidentiality, integrity, and availability on the affected host.

Affected Products

  • Microsoft 365 Apps (Enterprise, x64 and x86)
  • Microsoft Excel 2016, Microsoft Office 2019
  • Microsoft Office LTSC 2021, Office LTSC 2024, and Office Online Server

Discovery Timeline

  • 2025-11-11 - CVE-2025-60727 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-60727

Vulnerability Analysis

The vulnerability is an out-of-bounds read condition in the Excel file parsing logic. When Excel processes a specially crafted spreadsheet, it reads memory beyond the bounds of an allocated buffer. The attacker controls the structure of the malicious file, allowing them to influence which adjacent memory is read and subsequently used by the application. This memory disclosure primitive can be combined with control of program flow to achieve arbitrary code execution within the Excel process.

Exploitation is local in scope but delivery is typically remote, since Excel documents are commonly distributed through email attachments, web downloads, and shared file storage. The flaw requires the victim to open the file, which fits well-established phishing and document-based intrusion patterns.

Root Cause

The root cause is improper validation of length or offset fields during parsing of an Excel document structure. The parser dereferences memory outside the intended buffer boundaries, classified under CWE-125 (Out-of-bounds Read). When the disclosed memory contains pointers or object data used in later operations, the attacker can manipulate control flow to execute arbitrary instructions.

Attack Vector

The attacker prepares a malicious .xls, .xlsx, or related Excel-format file containing crafted structures that trigger the out-of-bounds read. The file is delivered through phishing email, malicious websites, file-sharing platforms, or removable media. When the victim opens the document in a vulnerable Office build, Excel parses the malformed content, the parser reads beyond the buffer, and the attacker-controlled data path leads to code execution under the user's security context. No authentication is required, and no prior access to the system is needed beyond convincing the user to open the file.

No public proof-of-concept or in-the-wild exploitation has been reported in the available data. See the Microsoft Security Update Guide for vendor-provided technical context.

Detection Methods for CVE-2025-60727

Indicators of Compromise

  • Unexpected child processes spawned by EXCEL.EXE, such as cmd.exe, powershell.exe, wscript.exe, mshta.exe, or rundll32.exe.
  • Excel documents arriving from external email senders that contain unusual embedded objects, OLE streams, or malformed BIFF/OOXML structures.
  • Outbound network connections initiated by EXCEL.EXE to unfamiliar domains shortly after a document is opened.
  • Crash events or Windows Error Reporting telemetry referencing EXCEL.EXE and access violations during file parsing.

Detection Strategies

  • Hunt for process lineage where EXCEL.EXE is the parent of script interpreters or living-off-the-land binaries.
  • Inspect Excel documents at the email gateway for malformed records or anomalous structure sizes that deviate from valid OOXML schemas.
  • Correlate Office telemetry, endpoint process events, and proxy logs to identify document-borne execution chains.

Monitoring Recommendations

  • Enable and forward Microsoft Office telemetry, Sysmon process and image-load events, and Windows Defender Application Control logs to a central SIEM.
  • Monitor for new persistence artifacts written to %APPDATA%, Run registry keys, or scheduled tasks created within minutes of an Excel document open event.
  • Alert on Excel processes loading unsigned or unusual DLLs from user-writable paths.

How to Mitigate CVE-2025-60727

Immediate Actions Required

  • Apply the security update published by Microsoft for all affected Office product channels referenced in the Microsoft Security Update Guide.
  • Inventory endpoints to identify unpatched Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021/2024, and Office Online Server installations.
  • Prioritize patching for users handling external documents, such as finance, HR, executive assistants, and external-facing roles.

Patch Information

Microsoft has issued fixes through its monthly security update channel. Administrators should apply the appropriate updates for each affected product family. For Microsoft 365 Apps, ensure the Click-to-Run channel is current. For perpetual Office versions, deploy the corresponding security update package. Refer to the Microsoft Security Update Guide for the specific KB numbers and build versions per channel.

Workarounds

  • Enforce Protected View for files originating from the internet, email attachments, and unsafe locations to constrain parser behavior during initial open.
  • Configure Office to block macros and external content in documents from the internet using Group Policy or Microsoft Intune.
  • Use Attack Surface Reduction (ASR) rules to block Office applications from creating child processes and from injecting code into other processes.
  • Restrict opening of Excel files from untrusted sources at the email gateway and web proxy.
bash
# Configuration example: Enable ASR rule to block Office child processes
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
                 -AttackSurfaceReductionRules_Actions Enabled

# Verify the rule is active
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne