Microsoft Patches Multiple Office, Word, and Outlook RCE Flaws
Microsoft disclosed and patched several remote code execution vulnerabilities affecting Microsoft Office, Word, and Outlook, including CVE-2025-49698, CVE-2025-49702, CVE-2025-54906, CVE-2025-62554, CVE-2025-62557, CVE-2025-62558, and CVE-2025-62562. The advisories identify repeated RCE issues across core productivity applications, with separate entries for Office-wide flaws as well as product-specific weaknesses in Word and Outlook.
The cluster of disclosures indicates a sustained stream of code-execution bugs in Microsoft’s document and messaging ecosystem, raising the risk of compromise through malicious files or email content handled by widely deployed enterprise software. Organizations using Microsoft 365 and on-premises Office components should prioritize the relevant security updates and verify patch coverage for Office, Word, and Outlook installations across user endpoints.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses CVE-2025-62555 in Word
Microsoft published a Security Update Guide entry for CVE-2025-62555, identified as a Microsoft Word remote code execution vulnerability. The advisory marks the official disclosure or patch release for this additional December Office-related flaw.
Microsoft releases December advisories for Office, Word, and Outlook RCE flaws
Microsoft published Security Update Guide entries for CVE-2025-62554, CVE-2025-62557, CVE-2025-62558, and CVE-2025-62562, covering remote code execution vulnerabilities in Microsoft Office, Word, and Outlook. These entries reflect a coordinated December disclosure and update release for multiple related flaws.
Microsoft discloses CVE-2025-54906 in Office
Microsoft published a Security Update Guide entry for CVE-2025-54906, identified as a Microsoft Office remote code execution vulnerability. The advisory marks the official disclosure or patch release for this issue.
Microsoft discloses CVE-2025-49703 in Word
Microsoft published a Security Update Guide entry for CVE-2025-49703, identified as a Microsoft Word remote code execution vulnerability. The advisory reflects the official disclosure or patch release for this separate Office-related flaw.
Microsoft publishes fixes for CVE-2025-49702 and CVE-2025-49698
Microsoft's Security Update Guide added advisories for CVE-2025-49702, a Microsoft Office remote code execution vulnerability, and CVE-2025-49698, a Microsoft Word remote code execution vulnerability. This indicates patches or official vulnerability disclosures were released on that date.
Sources
9 references tracked. Mallory keeps watching after this page renders.
CVE-2025-62558 - Security Update Guide - Microsoft - Microsoft Word Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-62554 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-62557 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-62555 - Security Update Guide - Microsoft - Microsoft Word Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-62562 - Security Update Guide - Microsoft - Microsoft Outlook Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-54906 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-49698 - Security Update Guide - Microsoft - Microsoft Word Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-49703 - Security Update Guide - Microsoft - Microsoft Word Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-49702 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Critical Office and Outlook Preview Pane RCE Flaws
Microsoft has released fixes for multiple **critical Microsoft Office, Word, and Outlook Classic vulnerabilities** that can lead to remote code execution when a victim opens or previews a specially crafted file or email. The affected flaws include Office bugs **CVE-2025-49695**, **CVE-2025-49696**, **CVE-2025-49697**, **CVE-2025-49699**, **CVE-2025-49702**, Word bug **CVE-2025-49698**, and newer Outlook/Word rendering issues **CVE-2026-45456**, **CVE-2026-45458**, and **CVE-2026-47635**. Microsoft described the bugs as stemming from memory-safety issues such as **use-after-free**, **heap-based buffer overflow**, **type confusion**, and **out-of-bounds read**, with several carrying **CVSS 8.4** ratings. In multiple cases, Microsoft said the **Preview Pane** can trigger exploitation, and some flaws may be exploited without additional user interaction once malicious content is rendered. Microsoft said the vulnerable code paths affect Office and Word components, including the **Word rendering engine** used by **Outlook Classic**, and that supported builds such as **Microsoft Office LTSC 2024** and Mac Office LTSC channels received updates, with some Mac patches arriving later. Most of the 2025 flaws were not publicly disclosed or exploited at publication, though Microsoft assessed some as **more likely** to be exploited; the 2026 Outlook and Word issues similarly prompted urgent patching guidance because remotely delivered email content can trigger local processing and code execution. Microsoft urged organizations to install all applicable updates and strengthen defenses around Office email handling, including **Protected View**, **Attack Surface Reduction** rules, and monitoring for suspicious Office child-process activity.
Jun 12, 2026
Microsoft Patches Critical Office and Word Use-After-Free RCE Flaws
Microsoft disclosed and fixed two critical use-after-free vulnerabilities affecting **Microsoft Office** and **Microsoft Word**: `CVE-2026-40358` and `CVE-2026-40366`. Both bugs are classified as **CWE-416** and carry a **CVSS 8.4** rating, with Microsoft assessing impacts to confidentiality, integrity, and availability as high. The company said neither flaw had been publicly disclosed or exploited in the wild at the time of publication, and it rated exploitation as less likely. Microsoft said the vulnerabilities can lead to remote code execution, although the attack vector is described as **local**, with the **Preview Pane** able to serve as an attack path when malicious content is handled. The disclosures continue a broader pattern of Microsoft patching multiple remote code execution issues across its product line, including earlier Office flaws such as `CVE-2024-30101`, `CVE-2025-24080`, and `CVE-2025-59234`, as well as RCE bugs in Windows Connected Devices Platform Service, Remote Desktop Protocol, and Inbox COM Objects.
Jun 21, 2026
Microsoft Patches Repeated Remote Code Execution Flaws Across Office Apps
Microsoft published a long series of security advisories for **remote code execution** vulnerabilities affecting core Office components, with the largest concentration in **Excel** and **Word**. The disclosures include Excel flaws such as `CVE-2024-49026`, `CVE-2024-49069`, `CVE-2025-21362`, `CVE-2025-21381`, `CVE-2025-21387`, `CVE-2025-24082`, `CVE-2025-62553`, `CVE-2026-26107`, `CVE-2026-26109`, `CVE-2026-26112`, and `CVE-2026-40359`, alongside Word issues including `CVE-2025-24077`, `CVE-2025-24078`, `CVE-2025-47170`, `CVE-2025-49700`, `CVE-2025-59222`, `CVE-2026-23657`, and `CVE-2026-33095`. Microsoft also listed related RCE bugs in **Microsoft Office** (`CVE-2025-21392`), **PowerPoint** (`CVE-2025-54908`), **Inbox COM Objects (Global Memory)** (`CVE-2025-58730`), and the **Visual Studio Code Python Extension** (`CVE-2025-49714`). One of the few entries with technical detail, **`CVE-2026-40359`**, describes an **Important** Excel use-after-free flaw (`CWE-416`) with a **CVSS 3.1 score of 7.8** that can let an attacker execute code if a user opens a malicious Office file. Microsoft said the bug was **not publicly disclosed**, **not exploited in the wild**, and **less likely** to be exploited at the time of publication, adding that the **Preview Pane is not an attack vector** and that a fix is available. Taken together, the advisories show Microsoft continuing to address document-driven code execution risks across Office products, where successful exploitation generally depends on **user interaction with crafted files** rather than direct network exposure.
May 25, 2026