CVE-2025-62199 Overview
CVE-2025-62199 is a use-after-free vulnerability [CWE-416] in Microsoft Office that allows an unauthorized attacker to execute code locally. The flaw affects multiple Office distributions, including Microsoft 365 Apps, Microsoft 365 Copilot, Microsoft Excel 2016, and the Office Long Term Servicing Channel (LTSC) 2021 and 2024 releases on both Windows and macOS. Exploitation requires user interaction, typically opening a crafted Office document. A successful attack yields code execution in the context of the logged-on user, with high impact to confidentiality, integrity, and availability.
Critical Impact
A crafted Office document can trigger memory reuse after deallocation, letting an attacker run arbitrary code on the victim's machine with the user's privileges.
Affected Products
- Microsoft 365 Apps (Enterprise, x64 and x86)
- Microsoft 365 Copilot (Android) and Microsoft Excel 2016 (x64 and x86)
- Microsoft Office Long Term Servicing Channel 2021 and 2024 (Windows x64/x86 and macOS)
Discovery Timeline
- 2025-11-11 - CVE-2025-62199 published to NVD by Microsoft
- 2026-05-22 - Last updated in NVD database
Technical Details for CVE-2025-62199
Vulnerability Analysis
The issue is a use-after-free [CWE-416] in Microsoft Office's document parsing and object management code paths. The product frees a heap object but retains a dangling pointer that subsequent code dereferences. When an attacker controls the allocation that replaces the freed object, the resulting indirect call or write executes attacker-supplied data as code.
Exploitation is local but does not require prior authentication. The attack requires user interaction: the victim must open a malicious document delivered through email, a web download, or a shared file location. Once opened, the document drives Office through the vulnerable code path, triggers the freed-object reuse, and pivots into arbitrary code execution under the current user's security context.
Root Cause
Office components allocate document-bound objects (for example, embedded objects, parsed structures, or scriptable controls) and release them while another reference path still expects the object to be valid. When that stale reference is dereferenced, the heap region has typically been reclaimed and rewritten by attacker-controlled data, corrupting program state.
Attack Vector
Delivery follows the standard Office RCE pattern: a weaponized .xlsx, .docx, or related Office file is sent to the target. Opening or previewing the file (where Protected View is bypassed or disabled) executes the parser path that triggers the use-after-free. Because the CVSS vector is AV:L/AC:L/PR:N/UI:R, the attacker needs no credentials, only that the user opens the document.
No public proof-of-concept or exploit code is available at the time of writing, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Microsoft CVE-2025-62199 Advisory for vendor technical details.
Detection Methods for CVE-2025-62199
Indicators of Compromise
- Office processes (EXCEL.EXE, WINWORD.EXE) spawning child processes such as cmd.exe, powershell.exe, rundll32.exe, or mshta.exe shortly after a document open event.
- Office applications writing executable content (.exe, .dll, .scr) or scripts to %TEMP%, %APPDATA%, or Public directories.
- Unexpected outbound network connections originating from Office processes to previously unseen hosts.
- Crashes or Windows Error Reporting events in EXCEL.EXE or other Office binaries referencing heap corruption shortly after document interaction.
Detection Strategies
- Hunt for Office-to-LOLBin (living-off-the-land binary) process chains using EDR telemetry and correlate with the source document path.
- Inspect email attachments and SharePoint uploads for Office files containing embedded objects, OLE links, or unusual macro and add-in references.
- Apply YARA and AMSI-based content scanning to Office documents at the mail gateway and at endpoint open time.
Monitoring Recommendations
- Forward Sysmon Event IDs 1, 7, 11, and 22, together with Microsoft-Windows-Application-Experience logs, to a central analytics platform.
- Alert on Office processes loading non-Microsoft signed modules or modules from user-writable directories.
- Track Windows Defender Exploit Guard and Attack Surface Reduction (ASR) rule violations, particularly the rule blocking Office from creating child processes.
How to Mitigate CVE-2025-62199
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft CVE-2025-62199 Advisory across all affected Office channels and platforms.
- Verify update deployment on Microsoft 365 Apps, Excel 2016, and Office LTSC 2021/2024 endpoints, including macOS clients.
- Enforce Protected View and Office macro restrictions through Group Policy or Intune for documents originating from the internet or email.
- Enable Microsoft Defender Attack Surface Reduction rules, particularly the rule that blocks Office applications from creating child processes.
Patch Information
Microsoft has released fixes through the standard Microsoft Update channel. Administrators should consult the vendor advisory at Microsoft Security Update Guide - CVE-2025-62199 for the specific build numbers per channel (Current Channel, Monthly Enterprise Channel, Semi-Annual Channel, LTSC) and deploy through WSUS, Intune, Configuration Manager, or click-to-run servicing.
Workarounds
- Block or quarantine inbound Office attachments at the mail gateway until patching completes, with focus on Excel and Word file types.
- Disable the Office Preview Pane in Outlook and Windows Explorer to reduce opportunistic triggering of the vulnerable parser.
- Apply Microsoft's recommended file block policies via Group Policy for high-risk Office formats in unpatched environments.
- Restrict end users to standard accounts so that successful exploitation does not grant administrative privileges.
# Enable ASR rule: Block Office applications from creating child processes
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
-AttackSurfaceReductionRules_Actions Enabled
# Verify the rule is enforced
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
