CVE-2025-62557
Published: 09 December 2025
Description
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free vulnerability in Microsoft Office by requiring timely application of vendor patches from the MSRC update guide.
Implements memory safeguards like DEP, ASLR, and control-flow integrity to block arbitrary code execution from use-after-free exploits in Microsoft Office.
Deploys malicious code protection mechanisms to scan and block malicious Office documents or payloads exploiting the local code execution vulnerability.
Security SummaryAI
CVE-2025-62557 is a use-after-free vulnerability (CWE-416) affecting Microsoft Office. Published on 2025-12-09, it has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw enables an unauthorized attacker to execute code locally.
An unauthorized attacker with local access to the system can exploit this vulnerability. Exploitation requires low complexity, no privileges, and no user interaction. Successful exploitation allows arbitrary code execution, resulting in high impacts to confidentiality, integrity, and availability.
The Microsoft Security Response Center has published an update guide for mitigation details at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62557.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The use-after-free vulnerability in Microsoft Office enables arbitrary code execution locally with no privileges or user interaction required, directly mapping to Exploitation for Client Execution (T1203).