Critical Flaws in Microsoft Office Enable Remote Code Execution by Attackers
Microsoft has disclosed two serious security vulnerabilities in its Office suite that allow attackers to execute arbitrary code on affected systems.
Both flaws were publicly released on September 9, 2025, and have been assigned CVE identifiers CVE-2025-54910 and CVE-2025-54906.
These critical issues affect Microsoft Office on Windows and can be exploited by attackers to gain full control over targeted machines.
Overview of the Vulnerabilities
The first flaw, tracked as CVE-2025-54910, is a heap-based buffer overflow in the Office rendering engine.
Attackers can trigger the overflow by convincing a user to open a specially crafted document with malicious content.
| Vulnerability | CVE-2025-54910 | CVE-2025-54906 |
| Assigning CNA | Microsoft | Microsoft |
| Impact | Remote Code Execution | Remote Code Execution |
| Max Severity | Critical | Important |
| CVSS Scores | 8.4 / 7.3 | 7.8 / 6.8 |
Successful exploitation results in remote code execution under the context of the current user, potentially allowing installation of programs or deletion of data.
Microsoft rates this defect as Critical, with a CVSS 3.1 base score of 8.4 and a temporal score of 7.3.
The second issue, CVE-2025-54906, is a use-after-free vulnerability in the component responsible for processing embedded objects.
In this case, an attacker must lure a victim into opening a malicious document, causing Office to reference freed memory.
This leads to arbitrary code execution with the user’s privileges. Although slightly less severe than the buffer overflow, the highest possible impact remains Remote Code Execution.
Microsoft classifies this flaw as Important, assigning it a CVSS 3.1 base score of 7.8 and a temporal score of 6.8.
Both vulnerabilities share similar exploitation scenarios: they require user interaction to open a booby-trapped Office file.
No additional privileges or complex configurations are necessary, though network access might be used to deliver the malicious document.
Attackers commonly distribute these files via phishing emails or compromised websites. Once executed, the payload can install malware, steal sensitive data, or create persistent backdoors.
Mitigation and Patching
Microsoft has released security updates to address both vulnerabilities in supported versions of Office for Windows.
System administrators and end users should apply the patches immediately via Windows Update or Microsoft Update Catalogue. Enabling automatic updates ensures future fixes are installed promptly.
CVE-2025-54910 and CVE-2025-54906 represent significant risks that can lead to full system compromise.
Prompt application of Microsoft’s security updates is the most effective defense. Users should remain vigilant against phishing attempts and untrusted file sources to minimize the chance of exploitation.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Post Comment