CVE-2025-21345

High

Published: 14 January 2025

Published

14 January 2025

Modified

01 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0092 76.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Microsoft Office Visio Remote Code Execution Vulnerability

Security Summary

CVE-2025-21345 is a Remote Code Execution vulnerability affecting Microsoft Office Visio. Published on 2025-01-14, it has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-416 (Use After Free), though additional CWE details are unavailable from NVD.

The vulnerability can be exploited by an attacker with local access to the target system, requiring low attack complexity, no privileges, and user interaction. A successful exploit allows the attacker to achieve high-impact remote code execution, compromising confidentiality, integrity, and availability on the affected system.

The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21345 provides details on mitigation, including available patches.

Details

CWE(s): CWE-416NVD-CWE-noinfo

Affected Products

microsoft

365 apps

all versions

microsoft

office

2019

microsoft

office long term servicing channel

2021, 2024

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21345
Patch, Vendor Advisory · secure@microsoft.com