CVE-2025-21354

High

Published: 14 January 2025

Published

14 January 2025

Modified

25 August 2025

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0173 82.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Microsoft Excel Remote Code Execution Vulnerability

Security Summary

CVE-2025-21354 is a Remote Code Execution vulnerability in Microsoft Excel. Published on 2025-01-14, it carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-822 (Untrusted Pointer Dereference) along with NVD-CWE-noinfo.

The vulnerability can be exploited by a local attacker requiring low complexity, no privileges, and no user interaction. Successful exploitation enables the attacker to execute arbitrary code with high impacts on confidentiality, integrity, and availability within the affected Excel instance.

The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21354 provides details on mitigation, including available patches and recommended actions for security practitioners.

Details

CWE(s): CWE-822NVD-CWE-noinfo

Affected Products

microsoft

365 apps

all versions

microsoft

office

2019

microsoft

office long term servicing channel

2021, 2024

microsoft

office online server

≤ 16.0.10416.20047

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21354
Patch, Vendor Advisory · secure@microsoft.com