CVE-2025-21362

High

Published: 14 January 2025

Published

14 January 2025

Modified

01 July 2025

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0063 70.4th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Microsoft Excel Remote Code Execution Vulnerability

Security Summary

CVE-2025-21362 is a remote code execution vulnerability affecting Microsoft Excel. It stems from a use-after-free error (CWE-416) and carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability was published on January 14, 2025.

An attacker with local access to the target system can exploit this vulnerability with low complexity and no required privileges or user interaction. Successful exploitation allows the attacker to achieve high-impact remote code execution, potentially compromising confidentiality, integrity, and availability by executing arbitrary code in the context of the Excel process.

Microsoft's Security Response Center provides detailed guidance and patch information in their update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21362, recommending affected users apply the available security updates to mitigate the issue.

Details

CWE(s): CWE-416NVD-CWE-noinfo

Affected Products

microsoft

365 apps

all versions

microsoft

excel

2016

microsoft

office

2019

microsoft

office long term servicing channel

2021, 2024

microsoft

office online server

≤ 16.0.10416.20047

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21362
Patch, Vendor Advisory · secure@microsoft.com