CVE-2025-62554
Published: 09 December 2025
Description
Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification, reporting, and timely patching of flaws like this type confusion vulnerability in Microsoft Office to prevent exploitation.
Implements memory protections such as ASLR and DEP that directly mitigate type confusion attacks by preventing reliable code execution from memory corruption.
Deploys malicious code protection mechanisms at entry points to scan and block malicious Office files exploiting the type confusion for local code execution.
Security SummaryAI
CVE-2025-62554 is a type confusion vulnerability (CWE-843), specifically an access of resource using incompatible type, affecting Microsoft Office. Published on 2025-12-09, it carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
The vulnerability can be exploited by an unauthorized local attacker with low-complexity methods and no required privileges or user interaction. Successful exploitation enables arbitrary code execution on the affected system, potentially leading to full compromise given the high impact ratings across all security principles.
For mitigation details, refer to the official advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62554, which provides guidance from Microsoft Security Response Center on patches and workarounds.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Type confusion vulnerability in Microsoft Office enabling arbitrary code execution with no privileges or user interaction, directly facilitating T1203: Exploitation for Client Execution.