CVE-2025-62564 Overview
CVE-2025-62564 is an out-of-bounds read vulnerability [CWE-125] in Microsoft Office Excel. An unauthorized attacker can leverage the flaw to execute code locally after a user opens a crafted Excel file. The vulnerability affects multiple Microsoft Office product lines including Microsoft 365 Apps, Excel 2016, Office 2019, the Office Long Term Servicing Channel (2021 and 2024), and Office Online Server. Microsoft published the advisory on December 9, 2025.
Critical Impact
Successful exploitation results in arbitrary code execution in the context of the current user, with high impact to confidentiality, integrity, and availability. Exploitation requires user interaction with a malicious Excel document.
Affected Products
- Microsoft 365 Apps (Enterprise, x64 and x86)
- Microsoft Excel 2016, Microsoft Office 2019, Office LTSC 2021 and 2024 (including macOS builds)
- Microsoft Office Online Server
Discovery Timeline
- 2025-12-09 - CVE-2025-62564 published to NVD
- 2025-12-09 - Last updated in NVD database
Technical Details for CVE-2025-62564
Vulnerability Analysis
The flaw is an out-of-bounds read condition in the Excel parsing code path. Excel reads beyond the bounds of an allocated buffer when processing a malformed spreadsheet structure. The read primitive leaks adjacent memory contents and can be combined with controlled object layout to redirect execution flow.
Microsoft classifies the issue as enabling local code execution. The attack vector is local because the attacker must deliver a malicious file to the victim and the victim must open it in a vulnerable Excel build. Once executed, the attacker runs code with the privileges of the signed-in user.
The vulnerability impacts both Windows and macOS variants of the Office LTSC builds, along with the server-side Office Online Server rendering component. EPSS data lists the exploitation probability at a low value as of the assessment date, and no public proof-of-concept or in-the-wild exploitation has been reported.
Root Cause
The root cause is improper validation of length or offset fields inside an Excel document record. When the parser uses an attacker-supplied value to index into a buffer without verifying it against the allocation size, the read extends past the buffer boundary, satisfying the [CWE-125] pattern.
Attack Vector
An attacker crafts a malicious .xlsx, .xls, or related Excel file and delivers it through email, a shared drive, or a web download. When the user opens the file, the malformed record triggers the out-of-bounds read and the chained code execution primitive. Preview pane and Protected View behaviors should be considered when assessing exposure, as documented in the Microsoft advisory.
No verified exploit code is publicly available. See the Microsoft CVE-2025-62564 Advisory for vendor technical details.
Detection Methods for CVE-2025-62564
Indicators of Compromise
- Unexpected child processes spawned by EXCEL.EXE, such as cmd.exe, powershell.exe, rundll32.exe, or mshta.exe.
- Excel processes writing executable content to user-writable paths including %TEMP%, %APPDATA%, or %PUBLIC%.
- Outbound network connections initiated from EXCEL.EXE to untrusted hosts shortly after a document is opened.
Detection Strategies
- Hunt for Excel files arriving from external senders that contain anomalous record structures or oversized binary streams.
- Correlate document open events with subsequent process creation, script interpreter launches, and file write activity.
- Inspect endpoint telemetry for crashes or exception events in EXCEL.EXE that may indicate exploitation attempts.
Monitoring Recommendations
- Enable Microsoft Defender Attack Surface Reduction rules that block Office applications from creating child processes.
- Forward Office process and file activity logs to a centralized analytics platform for retention and correlation.
- Monitor for delivery of Excel attachments through email gateways and flag files with unusual macros, embedded objects, or binary record anomalies.
How to Mitigate CVE-2025-62564
Immediate Actions Required
- Apply the Microsoft security updates referenced in the Microsoft CVE-2025-62564 Advisory to all affected Office and Microsoft 365 Apps installations.
- Inventory endpoints and servers running Excel 2016, Office 2019, Office LTSC 2021 or 2024, and Office Online Server, and prioritize patching internet-exposed and high-privilege users.
- Restrict opening of Excel files originating from outside the organization until patching is complete.
Patch Information
Microsoft has released updates addressing CVE-2025-62564 across the affected product channels. Microsoft 365 Apps users should ensure the Click-to-Run service has pulled the latest December 2025 build. Volume-licensed Office 2016, 2019, and LTSC 2021/2024 customers must deploy the corresponding MSP packages, and Office Online Server administrators must update the server farm. Refer to the vendor advisory for build numbers.
Workarounds
- Enforce Protected View and Office Application Guard for documents originating from the internet or email attachments.
- Disable preview-pane rendering of Excel files in Outlook and Windows Explorer until patches are deployed.
- Block macro execution from internet-sourced Office documents using existing Microsoft Group Policy settings.
# Group Policy registry example: block macros in files from the internet for Excel
reg add "HKCU\Software\Microsoft\Office\16.0\Excel\Security" /v BlockContentExecutionFromInternet /t REG_DWORD /d 1 /f
# Disable Outlook preview pane for attachments
reg add "HKCU\Software\Microsoft\Office\16.0\Outlook\Options" /v DisableReadingPaneAutoPreview /t REG_DWORD /d 1 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
