CVE-2025-62563: Microsoft 365 Apps Use-After-Free Flaw

CVE-2025-62563 Overview

CVE-2025-62563 is a use-after-free vulnerability [CWE-416] in Microsoft Office Excel that allows an unauthorized attacker to execute code locally. The flaw affects multiple Microsoft Office product lines, including Microsoft 365 Apps, Excel 2016, Office 2019, Office Long Term Servicing Channel (LTSC) 2021 and 2024, and Office Online Server. Exploitation requires user interaction, typically by opening a crafted Excel document. Microsoft published the advisory on December 9, 2025.

Critical Impact
Successful exploitation yields code execution in the context of the user running Excel, compromising confidentiality, integrity, and availability of the host.

Affected Products

Microsoft 365 Apps (Enterprise x64 and x86)
Microsoft Excel 2016, Microsoft Office 2019
Microsoft Office LTSC 2021 and 2024 (Windows and macOS), Microsoft Office Online Server

Discovery Timeline

2025-12-09 - CVE-2025-62563 published to NVD and Microsoft Security Update Guide
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-62563

Vulnerability Analysis

The vulnerability is a use-after-free condition in Microsoft Office Excel. A use-after-free occurs when application code references memory after that memory has been released, allowing an attacker to manipulate heap state and influence the freed object's contents. In Excel, this class of bug typically arises during parsing of complex document structures, such as embedded objects, formula references, or chart data, where object lifetimes are mismanaged between handlers.

An attacker crafts a malicious spreadsheet that triggers the freeing of an internal object while a dangling pointer remains in use. Subsequent operations dereference the stale pointer, allowing the attacker to redirect execution flow into attacker-controlled data and achieve arbitrary code execution within the Excel process.

Root Cause

The root cause is improper object lifetime management in Excel's document processing code, classified as CWE-416. Code paths release a heap object but retain references to it, and later operations dereference the freed memory, enabling controlled corruption of the heap.

Attack Vector

The attack vector is local with required user interaction. An attacker delivers a weaponized .xlsx, .xls, or related Excel file through email, web download, or shared storage. When the victim opens the file, parsing logic triggers the use-after-free and executes attacker-supplied shellcode at the privilege level of the current user. No verified public proof-of-concept exists at this time, and the EPSS probability is 0.596%.

No verified exploit code is publicly available. See the Microsoft Security Update Guide entry for CVE-2025-62563 for vendor technical details.

Detection Methods for CVE-2025-62563

Indicators of Compromise

Excel processes (EXCEL.EXE) spawning unexpected child processes such as cmd.exe, powershell.exe, rundll32.exe, or wscript.exe.
Anomalous network connections originating from EXCEL.EXE to untrusted external hosts shortly after document open.
Crash dumps or Windows Error Reporting events referencing Excel with access violations in heap regions.
New files written to user-writable persistence locations (Startup folder, Run registry keys) immediately following Excel activity.

Detection Strategies

Hunt for parent-child process relationships where EXCEL.EXE launches script interpreters or LOLBins.
Monitor for suspicious DLL loads inside EXCEL.EXE from non-standard paths, including %TEMP% and user profile directories.
Inspect inbound email attachments and downloaded spreadsheets with sandbox detonation focused on heap corruption telemetry.

Monitoring Recommendations

Enable and forward Microsoft Defender Attack Surface Reduction (ASR) audit events for Office child-process and code-injection rules.
Centralize Sysmon Event IDs 1, 7, and 11 from endpoints running Office to a SIEM for retroactive hunting.
Track Office telemetry through Microsoft 365 Defender alerts tagged with exploit or memory corruption categories.

How to Mitigate CVE-2025-62563

Immediate Actions Required

Apply Microsoft's December 2025 security updates for all affected Office products, prioritizing internet-facing or shared workstations.
Inventory deployed Office versions and confirm patch level using configuration management or vulnerability scanning.
Block inbound Excel attachments from untrusted senders at the email gateway until patches are deployed.

Patch Information

Microsoft released fixed builds through the Microsoft Update Guide on December 9, 2025. Refer to the Microsoft Security Update for CVE-2025-62563 for build numbers per channel (Microsoft 365 Apps, Office 2019, Office LTSC 2021, Office LTSC 2024, Office Online Server, and Office for Mac).

Workarounds

Enable Protected View and Office Application Guard to contain malicious documents from email and the internet.
Configure ASR rules to block Office applications from creating child processes and from injecting code into other processes.
Disable legacy file formats and macros where business processes allow, and enforce signed-macros-only policies via Group Policy.

bash

# Enable key Attack Surface Reduction rules via PowerShell
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled