CVE-2025-21390

High

Published: 11 February 2025

Published

11 February 2025

Modified

01 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0035 57.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Microsoft Excel Remote Code Execution Vulnerability

Security Summary

CVE-2025-21390 is a remote code execution vulnerability affecting Microsoft Excel. Published on 2025-02-11, it carries a CVSS 3.1 base score of 7.8, with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and is associated with CWE-122 and NVD-CWE-noinfo.

An attacker with local access can exploit this vulnerability by tricking a user into performing an action, such as opening a malicious Excel file, with low attack complexity and no privileges required. Successful exploitation enables remote code execution, resulting in high impacts to confidentiality, integrity, and availability within the affected system.

The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21390 provides further details on the vulnerability, including recommended patches and mitigation steps.

Details

CWE(s): CWE-122NVD-CWE-noinfo

Affected Products

microsoft

365 apps

all versions

microsoft

excel

2016

microsoft

office

2019

microsoft

office long term servicing channel

2021, 2024

microsoft

office online server

≤ 16.0.10416.20058

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21390
Patch, Vendor Advisory · secure@microsoft.com