CVE-2025-62200 Overview
CVE-2025-62200 is a local code execution vulnerability in Microsoft Office Excel caused by an untrusted pointer dereference [CWE-822]. An attacker can craft a malicious Excel document that, when opened by a user, leads to arbitrary code execution in the context of the current user. Microsoft published the advisory on November 11, 2025, covering Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021 and 2024, and Office Online Server.
Exploitation requires user interaction, typically through opening a weaponized spreadsheet delivered via phishing or shared file repositories. Successful exploitation grants full confidentiality, integrity, and availability impact on the affected host.
Critical Impact
A user opening a crafted Excel file can give an attacker full code execution rights as the current user, enabling malware installation, data theft, and lateral movement.
Affected Products
- Microsoft 365 Apps (Enterprise, x86 and x64)
- Microsoft Excel 2016 and Microsoft Office 2019
- Microsoft Office LTSC 2021, Office LTSC 2024, and Office Online Server
Discovery Timeline
- 2025-11-11 - CVE-2025-62200 published to NVD with Microsoft advisory
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-62200
Vulnerability Analysis
The flaw is classified as an untrusted pointer dereference [CWE-822] within Microsoft Office Excel. Excel reads pointer-like values from attacker-controlled file structures and dereferences them without verifying that the value points to a valid, allocated, and properly typed memory region. When the parser follows that pointer, control flow or memory writes are driven by data the attacker placed inside the spreadsheet.
The attack surface is the Excel file parser, which processes complex binary and OOXML structures including records, formulas, and embedded objects. Because the dereferenced pointer can be steered to attacker-prepared data, the condition is suitable for arbitrary code execution rather than only a crash.
Exploitation runs in the security context of the user opening the file. On systems where users hold administrative privileges or local development rights, the blast radius extends to the entire endpoint.
Root Cause
The root cause is missing validation of a pointer value sourced from a parsed Office document. The Excel code path trusts a field that should be treated as untrusted input and dereferences it directly, violating the boundary between document data and process memory.
Attack Vector
The attack vector is local with required user interaction. An attacker delivers a crafted .xls, .xlsx, or related Excel file through email, a download link, a shared drive, or a SharePoint or Teams workspace. When a user opens the file, or in some cases previews it through the Preview Pane, the malformed structure triggers the dereference and executes attacker-controlled code. No authentication to the target system is required from the attacker.
Technical details of the exact pointer field are not public. Refer to the Microsoft CVE-2025-62200 Advisory for parser specifics and patched binaries.
Detection Methods for CVE-2025-62200
Indicators of Compromise
- Excel processes (EXCEL.EXE) spawning unexpected child processes such as cmd.exe, powershell.exe, wscript.exe, cscript.exe, mshta.exe, or rundll32.exe.
- Excel writing executable content (.exe, .dll, .scr, .js) to user-writable locations such as %TEMP%, %APPDATA%, or %PUBLIC%.
- Outbound network connections originating from EXCEL.EXE to previously unseen domains or IP addresses shortly after document open.
- Crash or Watson reports referencing access violations inside Excel modules when opening untrusted spreadsheets.
Detection Strategies
- Hunt for Office child-process chains using process lineage telemetry, filtering on parent EXCEL.EXE with suspicious children.
- Inspect inbound email and shared storage for Excel attachments containing macros, external links, or unusual embedded objects.
- Correlate document open events with subsequent file writes, registry persistence, or scheduled task creation within a short time window.
Monitoring Recommendations
- Forward Microsoft Office telemetry, Sysmon process and file events, and EDR alerts to a central analytics platform for correlation.
- Enable Attack Surface Reduction (ASR) rules that block Office applications from creating child processes and from injecting code into other processes, and audit blocked events.
- Track Excel version and patch level across the fleet to identify unpatched endpoints exposed to CVE-2025-62200.
How to Mitigate CVE-2025-62200
Immediate Actions Required
- Apply the November 2025 Microsoft Office security updates to all affected Excel, Microsoft 365 Apps, Office 2019, Office LTSC 2021 and 2024, and Office Online Server installations.
- Prioritize patching endpoints belonging to users who routinely handle external spreadsheets, including finance, procurement, and executive staff.
- Block inbound Excel attachments from untrusted senders at the email gateway until patch deployment is confirmed.
Patch Information
Microsoft has released security updates addressing CVE-2025-62200. Refer to the Microsoft CVE-2025-62200 Advisory for the specific KB articles and channel-specific build numbers. Click-to-Run installations of Microsoft 365 Apps update automatically once the affected machine connects to the update service. MSI-based installations of Office 2016, 2019, and LTSC editions require the corresponding monthly security patch through WSUS, Microsoft Update, or Configuration Manager.
Workarounds
- Enable Protected View and Office Protected View for files originating from the internet, email attachments, and unsafe locations.
- Disable the Outlook and Explorer Preview Pane for Excel file types to prevent rendering of untrusted documents.
- Enforce the Microsoft Defender ASR rule that blocks Office applications from creating child processes.
- Restrict opening of legacy .xls binary formats using File Block Settings in the Office Trust Center where business workflows allow.
# Configuration example: enable ASR rule to block Office child processes (PowerShell)
Set-MpPreference -AttackSurfaceReductionRules_Ids `
D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
-AttackSurfaceReductionRules_Actions Enabled
# Verify configured ASR rules
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

