A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Six years. Gartner® Magic Quadrant™ Leader.Find Out Why
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-62202

CVE-2025-62202: Microsoft 365 Apps Info Disclosure Flaw

CVE-2025-62202 is an information disclosure vulnerability in Microsoft 365 Apps caused by an out-of-bounds read in Excel. Attackers can exploit this locally to access sensitive data. Learn about affected versions and patches.

Published: June 9, 2026

CVE-2025-62202 Overview

CVE-2025-62202 is an out-of-bounds read vulnerability in Microsoft Office Excel that allows an unauthorized attacker to disclose information locally. The flaw is categorized under [CWE-125] and affects multiple Microsoft Office product lines, including Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021 and 2024, and Office Online Server. Exploitation requires user interaction, typically by opening a maliciously crafted Excel document. Successful exploitation can leak sensitive memory contents from the Excel process, which attackers may use to bypass mitigations such as Address Space Layout Randomization (ASLR) or to chain with other vulnerabilities.

Critical Impact

An attacker who tricks a user into opening a crafted Excel file can read out-of-bounds memory, exposing sensitive process data and potentially aiding further exploitation.

Affected Products

  • Microsoft 365 Apps (Enterprise, x86 and x64)
  • Microsoft Excel 2016, Microsoft Office 2019, Microsoft Office LTSC 2021 and 2024 (including macOS builds)
  • Microsoft Office Online Server

Discovery Timeline

  • 2025-11-11 - CVE-2025-62202 published to NVD
  • 2025-11-17 - Last updated in NVD database

Technical Details for CVE-2025-62202

Vulnerability Analysis

The vulnerability is an out-of-bounds read [CWE-125] in the Excel file parsing logic. When Excel processes a specifically crafted spreadsheet, the application reads memory beyond the bounds of an allocated buffer. The leaked data resides in the address space of the Excel process and may include heap metadata, pointers, or fragments of other documents loaded in the same session.

The attack vector is local and requires user interaction. An attacker delivers a malicious .xls, .xlsx, or related Office file through email, a shared drive, or a download. The user must open the file in a vulnerable Excel build for the parser to trigger the read. No elevated privileges are required on the target system.

The primary impact is information disclosure. While the flaw does not directly grant code execution, leaked memory addresses can defeat ASLR and serve as a building block for chained exploits against companion Office vulnerabilities patched in the same release cycle.

Root Cause

The root cause is missing or insufficient bounds validation when Excel parses structured fields inside a workbook. A malformed record length or index causes the parser to read past the end of a buffer, returning adjacent process memory to attacker-controlled structures.

Attack Vector

An attacker crafts a malicious Excel document containing malformed record structures. The file is delivered through phishing, watering-hole websites, or shared file repositories. When the victim opens the file, the parsing routine performs the out-of-bounds read, and the leaked data can be exfiltrated through embedded objects, formula channels, or staged follow-on payloads. Detailed technical analysis is not publicly available. See the Microsoft Security Update CVE-2025-62202 advisory for vendor-supplied details.

Detection Methods for CVE-2025-62202

Indicators of Compromise

  • Inbound email attachments containing Excel files from unverified senders, especially with macro-enabled extensions such as .xlsm or unusual binary .xls formats.
  • Crash or anomalous termination of EXCEL.EXE shortly after opening a document, recorded in Windows Event Log under Application Error events.
  • Outbound network connections initiated by EXCEL.EXE immediately following document open, indicating possible data exfiltration of leaked memory.

Detection Strategies

  • Monitor child process creation under EXCEL.EXE for unusual binaries such as powershell.exe, cmd.exe, wscript.exe, or mshta.exe.
  • Inspect Office telemetry for documents originating from the internet zone (Mark-of-the-Web) being opened by users in sensitive roles.
  • Apply YARA or content-inspection rules on mail gateways to flag Excel files with malformed record structures or suspicious embedded OLE objects.

Monitoring Recommendations

  • Centralize Office application logs and Windows Defender Application Guard telemetry in a SIEM for correlation with phishing campaign indicators.
  • Track Office version inventory across managed endpoints to identify hosts still running unpatched Excel builds.
  • Enable Attack Surface Reduction (ASR) rules that block Office applications from creating child processes and writing to executable content.

How to Mitigate CVE-2025-62202

Immediate Actions Required

  • Apply the November 2025 Microsoft security updates referenced in the Microsoft Security Update CVE-2025-62202 advisory to all affected Office installations.
  • Prioritize patching workstations used by high-value users such as executives, finance staff, and administrators who are common phishing targets.
  • Verify that Microsoft 365 Apps clients are configured for the Current Channel or Monthly Enterprise Channel and have received the latest cumulative update.

Patch Information

Microsoft released fixes for CVE-2025-62202 as part of its November 2025 Patch Tuesday release. Administrators should consult the Microsoft Security Update CVE-2025-62202 page for specific build numbers covering Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Office Online Server on both Windows and macOS.

Workarounds

  • Enforce Protected View for all files originating from the internet and from Outlook attachments through Group Policy.
  • Block or quarantine Excel attachments from untrusted external senders at the mail gateway until patches are deployed.
  • Enable Microsoft Defender Attack Surface Reduction rules to prevent Office applications from creating executable child processes.
bash
# Configuration example: enforce Protected View via Group Policy registry keys
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Excel\Security\ProtectedView" /v DisableInternetFilesInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Excel\Security\ProtectedView" /v DisableAttachmentsInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Excel\Security\ProtectedView" /v DisableUnsafeLocationsInPV /t REG_DWORD /d 0 /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechMicrosoft 365 Apps
  • SeverityHIGH
  • CVSS Score7.1
  • EPSS Probability0.06%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-125
  • Vendor Resources
  • Microsoft Security Update CVE-2025-62202
  • Related CVEs
  • CVE-2026-33822: Microsoft 365 Apps Disclosure Vulnerability
  • CVE-2026-21258: Microsoft 365 Apps Info Disclosure Flaw
  • CVE-2026-21260: Microsoft 365 Apps Info Disclosure Flaw
  • CVE-2026-21261: Microsoft 365 Apps Info Disclosure Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English