CVE-2025-24082
Published: 11 March 2025
Description
An adversary may rely upon a user opening a malicious file in order to gain execution.
Security Summary
CVE-2025-24082 is a use-after-free vulnerability (CWE-416) in Microsoft Office Excel. It affects the Excel component of Microsoft Office, enabling an unauthorized attacker to execute code locally on a victim's machine. The vulnerability was published on 2025-03-11 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.
An unauthorized local attacker can exploit this vulnerability by tricking a user into performing an action, such as opening a malicious Excel file, due to the requirement for user interaction and local access vector with low attack complexity and no privileges needed. Successful exploitation allows arbitrary code execution in the context of the affected process, potentially leading to full local compromise of the system.
Microsoft has published details and guidance in its update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24082, which security practitioners should consult for patch availability and mitigation recommendations.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Use-after-free in Excel enables arbitrary code execution via malicious file opened by user, directly mapping to client-side exploitation and malicious file execution.