CVE-2025-62560 Overview
CVE-2025-62560 is an untrusted pointer dereference vulnerability in Microsoft Office Excel that allows local code execution. The flaw is classified under [CWE-126] and affects multiple Microsoft Office editions including Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Office Online Server. Exploitation requires user interaction, typically by opening a crafted Excel file. Successful exploitation grants the attacker code execution in the context of the current user, with high impact to confidentiality, integrity, and availability.
Critical Impact
An attacker who successfully exploits CVE-2025-62560 can execute arbitrary code locally on the target system with the privileges of the user running Excel.
Affected Products
- Microsoft 365 Apps (Enterprise, x64 and x86)
- Microsoft Excel 2016, Microsoft Office 2019
- Microsoft Office LTSC 2021 / 2024 (Windows and macOS), Microsoft Office Online Server
Discovery Timeline
- 2025-12-09 - CVE-2025-62560 published to NVD
- 2025-12-10 - Last updated in NVD database
Technical Details for CVE-2025-62560
Vulnerability Analysis
The vulnerability is an untrusted pointer dereference [CWE-126] within Microsoft Office Excel's file parsing logic. Excel reads a pointer value from attacker-controlled data inside a malicious spreadsheet and dereferences it without validating that the pointer references a safe memory region. This unsafe dereference can be steered to attacker-controlled memory, producing a controlled read or write primitive that leads to arbitrary code execution. The attack vector is local and requires the victim to open the crafted document.
Root Cause
The root cause is missing validation of a pointer field deserialized from an Excel document structure. Office file formats embed numerous offset and pointer-like fields that must be bounds-checked against the parsed object layout. When Excel trusts a pointer derived from untrusted input, the parser dereferences memory outside the intended object, corrupting program state.
Attack Vector
An attacker crafts a malicious Excel workbook containing manipulated structures that trigger the dereference when parsed. The attacker delivers the file via phishing email, malicious download, or shared collaboration platform. When the victim opens the file in a vulnerable version of Excel, the malformed structure is processed and code executes with the user's privileges. No network or authentication preconditions exist beyond convincing the user to open the file.
No verified public proof-of-concept is currently available. See the Microsoft CVE-2025-62560 Advisory for vendor technical details.
Detection Methods for CVE-2025-62560
Indicators of Compromise
- Unexpected child processes spawned by EXCEL.EXE, such as cmd.exe, powershell.exe, wscript.exe, rundll32.exe, or regsvr32.exe.
- Excel process crashes or access-violation events generated when opening .xls, .xlsx, .xlsm, or .xlsb files from email or untrusted shares.
- Outbound network connections initiated by EXCEL.EXE shortly after a document is opened.
Detection Strategies
- Hunt for process-lineage anomalies where Office applications launch interpreters or LOLBins, indicative of post-exploitation activity.
- Inspect inbound email attachments and shared spreadsheets for malformed BIFF or OOXML structures using sandbox detonation.
- Correlate Excel crash telemetry (Windows Error Reporting) with subsequent suspicious child-process activity on the same host.
Monitoring Recommendations
- Enable command-line and module-load auditing for all Office binaries and forward events to a centralized analytics pipeline.
- Monitor file-write activity by EXCEL.EXE to autorun locations such as Startup, Run registry keys, and Scheduled Tasks.
- Track installation status of Microsoft's December 2025 Patch Tuesday updates across the fleet to identify unpatched endpoints.
How to Mitigate CVE-2025-62560
Immediate Actions Required
- Apply the security updates referenced in the Microsoft CVE-2025-62560 Advisory to all affected Office installations.
- Block or quarantine Excel attachments from external senders at the email gateway pending patch deployment.
- Enforce Protected View and Office Application Guard for documents originating from the internet or untrusted locations.
Patch Information
Microsoft has released security updates addressing CVE-2025-62560 for Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Office Online Server. Refer to the Microsoft Security Response Center advisory for KB articles and channel-specific build numbers. Apply updates through Microsoft Update, WSUS, Intune, or the Click-to-Run servicing channel applicable to your deployment.
Workarounds
- Configure Attack Surface Reduction (ASR) rules to block Office applications from creating child processes.
- Disable execution of legacy Excel file formats via File Block policy where business workflows allow.
- Restrict opening of spreadsheets from untrusted locations by enforcing Mark-of-the-Web and Protected View through Group Policy.
# Configuration example: enable ASR rule blocking Office child processes
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
-AttackSurfaceReductionRules_Actions Enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
