Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-62554

CVE-2025-62554: Microsoft 365 Apps RCE Vulnerability

CVE-2025-62554 is a type confusion remote code execution flaw in Microsoft 365 Apps that allows attackers to execute unauthorized code locally. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-62554 Overview

CVE-2025-62554 is a type confusion vulnerability in Microsoft Office that allows an authenticated local attacker to execute arbitrary code on affected systems. The flaw is tracked under CWE-843: Access of Resource Using Incompatible Type and impacts multiple Office builds, including Microsoft 365 Apps, Office 2016, Office 2019, and the Office Long Term Servicing Channel (LTSC) 2021 and 2024 releases. Microsoft addressed the issue as part of its December 2025 security update cycle.

Critical Impact

Successful exploitation gives an attacker code execution in the context of the current user, breaking Office document isolation and enabling further compromise of the host.

Affected Products

  • Microsoft 365 Apps (x86 and x64 enterprise builds) and Microsoft 365 Copilot on Android
  • Microsoft Office 2016 and Office 2019 (x86 and x64)
  • Microsoft Office LTSC 2021 and LTSC 2024 (x86, x64, and macOS)

Discovery Timeline

  • 2025-12-09 - CVE-2025-62554 published to the National Vulnerability Database
  • 2025-12-09 - Microsoft releases security update guidance for CVE-2025-62554
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-62554

Vulnerability Analysis

The vulnerability is a type confusion condition within Microsoft Office document parsing. Office code accesses a memory resource using a type that does not match the object actually stored at that location. Because the runtime treats the object as a different type than it is, controlled fields such as virtual function pointers or size descriptors can be interpreted as trusted data. The attacker uses this mismatch to redirect execution flow into attacker-supplied bytes. Exploitation requires local access and low privileges but does not require user interaction beyond opening a crafted document that reaches the vulnerable parser.

Root Cause

The root cause maps to CWE-843: Office parses embedded objects or structured data without enforcing strict type checks before dereferencing. When a malformed object is deserialized, the code casts it to an incompatible internal structure. Method dispatch or field accesses on the miscast object then treat attacker-controlled data as valid pointers or metadata.

Attack Vector

An attacker crafts a malicious Office document containing an object designed to trigger the type confusion path. When a local user opens the file, Office parses the object and performs the incompatible cast. The attacker achieves code execution with the privileges of the Office process, which typically runs as the current user. Because the CVSS vector lists the attack vector as Local with no user interaction required by the metric, the vulnerable code path is reached through Office's normal file-handling routines rather than through a network service.

No public proof-of-concept exploit code has been published for CVE-2025-62554. Technical details are limited to the Microsoft Security Update Guide.

Detection Methods for CVE-2025-62554

Indicators of Compromise

  • Unexpected child processes spawned by winword.exe, excel.exe, powerpnt.exe, or outlook.exe, such as cmd.exe, powershell.exe, rundll32.exe, or mshta.exe
  • Office applications writing executable content (.exe, .dll, .ps1, .hta, .js) to %TEMP%, %APPDATA%, or %PUBLIC%
  • Crash telemetry from Office processes referencing access violations in document parsing modules
  • Newly created scheduled tasks, Run keys, or startup entries created shortly after an Office document is opened

Detection Strategies

  • Hunt for behavioral chains where an Office document open event is followed by process creation, script interpreter launch, or outbound network activity from the Office process
  • Correlate Windows Event ID 4688 process creation events with the parent-child relationships listed above
  • Inspect email gateway and endpoint telemetry for Office documents that arrived from external senders and were opened within a short window before suspicious child process activity

Monitoring Recommendations

  • Enable Microsoft Defender Attack Surface Reduction (ASR) rules that block Office applications from creating child processes and from injecting code into other processes
  • Forward Sysmon process creation, image load, and file creation events to a centralized log platform for correlation with Office activity
  • Track Office build version telemetry across the fleet to confirm the December 2025 update is installed on every endpoint

How to Mitigate CVE-2025-62554

Immediate Actions Required

  • Apply the December 2025 Microsoft Office security updates that address CVE-2025-62554 across all affected 365 Apps, Office 2016, Office 2019, and Office LTSC 2021 and 2024 deployments
  • Prioritize patching endpoints used by high-value users and those that regularly receive external documents
  • Verify Click-to-Run update channels and macOS Office builds are enrolled in automatic updates

Patch Information

Microsoft published the fix and version-specific build numbers in the Microsoft Security Update Guide for CVE-2025-62554. Administrators should consult the advisory for the exact patched build for each channel, then push the update through Microsoft Configuration Manager, Intune, or the Office Deployment Tool.

Workarounds

  • Enforce Protected View and Application Guard for Office to open documents from the internet, email attachments, and untrusted network shares in a sandboxed container
  • Block macros and embedded content in documents originating from the internet using Group Policy or Microsoft 365 admin center settings
  • Restrict Office add-ins and OLE object activation for user populations that do not require them until the patch is fully deployed
bash
# Example Group Policy registry keys to enforce Protected View for Word
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableInternetFilesInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableAttachmentsInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableUnsafeLocationsInPV /t REG_DWORD /d 0 /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.