CVE-2025-21394

High

Published: 11 February 2025

Published

11 February 2025

Modified

01 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0035 57.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Microsoft Excel Remote Code Execution Vulnerability

Security Summary

CVE-2025-21394 is a Remote Code Execution vulnerability affecting Microsoft Excel. Published on 2025-02-11, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-416 (Use After Free), though additional CWE details are unavailable from NVD.

The vulnerability can be exploited by a local attacker with low complexity and no required privileges, provided they can induce user interaction, such as opening a malicious Excel file. Successful exploitation allows arbitrary code execution in the context of the user, resulting in high impacts to confidentiality, integrity, and availability.

For mitigation details, refer to the official Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21394.

Details

CWE(s): CWE-416NVD-CWE-noinfo

Affected Products

microsoft

365 apps

all versions

microsoft

excel

2016

microsoft

office

2019

microsoft

office long term servicing channel

2021, 2024

microsoft

office online server

≤ 16.0.10416.20058

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21394
Patch, Vendor Advisory · secure@microsoft.com