CVE-2025-21392

High

Published: 11 February 2025

Published

11 February 2025

Modified

01 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0035 57.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Microsoft Office Remote Code Execution Vulnerability

Security Summary

CVE-2025-21392 is a remote code execution vulnerability in Microsoft Office, published on 2025-02-11. It stems from CWE-416 (Use After Free) with additional NVD-CWE-noinfo classification and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Exploitation requires local access vector with low attack complexity and no privileges, but user interaction is necessary. A threat actor can leverage this to execute arbitrary code on the target system, resulting in high impacts to confidentiality, integrity, and availability.

Microsoft provides mitigation details, including patches, in its Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21392.

Details

CWE(s): CWE-416NVD-CWE-noinfo

Affected Products

microsoft

365 apps

all versions

microsoft

office

2016, 2019

microsoft

office long term servicing channel

2021, 2024

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21392
Patch, Vendor Advisory · secure@microsoft.com