Microsoft disclosed multiple Office and Excel remote code execution flaws
Microsoft published security advisories for several remote code execution vulnerabilities affecting Microsoft Office and Microsoft Excel, including CVE-2025-24057, CVE-2025-24075, and CVE-2025-47162. The issues were listed in the Microsoft Security Update Guide as Office-family flaws that could allow arbitrary code execution if successfully exploited.
The disclosures indicate that the affected attack surface spans both the broader Office suite and Excel specifically, underscoring continued risk from malicious documents and content processed by productivity software. Organizations using Microsoft Office should prioritize review of the relevant advisories and deployment of associated security updates for the affected products tied to these CVEs.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes fix for CVE-2025-47162
Microsoft released a Security Update Guide advisory for CVE-2025-47162, a Microsoft Office remote code execution vulnerability. The advisory was published in June 2025.
Microsoft publishes fixes for CVE-2025-24057 and CVE-2025-24075
Microsoft released Security Update Guide advisories for CVE-2025-24057, a Microsoft Office remote code execution vulnerability, and CVE-2025-24075, a Microsoft Excel remote code execution vulnerability. The advisories were published on Patch Tuesday in March 2025.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2025-47162 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-24057 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-24075 - Security Update Guide - Microsoft - Microsoft Excel Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Repeated Remote Code Execution Flaws Across Office Apps
Microsoft published a long series of security advisories for **remote code execution** vulnerabilities affecting core Office components, with the largest concentration in **Excel** and **Word**. The disclosures include Excel flaws such as `CVE-2024-49026`, `CVE-2024-49069`, `CVE-2025-21362`, `CVE-2025-21381`, `CVE-2025-21387`, `CVE-2025-24082`, `CVE-2025-62553`, `CVE-2026-26107`, `CVE-2026-26109`, `CVE-2026-26112`, and `CVE-2026-40359`, alongside Word issues including `CVE-2025-24077`, `CVE-2025-24078`, `CVE-2025-47170`, `CVE-2025-49700`, `CVE-2025-59222`, `CVE-2026-23657`, and `CVE-2026-33095`. Microsoft also listed related RCE bugs in **Microsoft Office** (`CVE-2025-21392`), **PowerPoint** (`CVE-2025-54908`), **Inbox COM Objects (Global Memory)** (`CVE-2025-58730`), and the **Visual Studio Code Python Extension** (`CVE-2025-49714`). One of the few entries with technical detail, **`CVE-2026-40359`**, describes an **Important** Excel use-after-free flaw (`CWE-416`) with a **CVSS 3.1 score of 7.8** that can let an attacker execute code if a user opens a malicious Office file. Microsoft said the bug was **not publicly disclosed**, **not exploited in the wild**, and **less likely** to be exploited at the time of publication, adding that the **Preview Pane is not an attack vector** and that a fix is available. Taken together, the advisories show Microsoft continuing to address document-driven code execution risks across Office products, where successful exploitation generally depends on **user interaction with crafted files** rather than direct network exposure.
May 25, 2026
Microsoft patches multiple remote code execution flaws in Office and Windows graphics
Microsoft disclosed and patched several remote code execution vulnerabilities affecting **Microsoft Office**, **Excel**, and Windows graphics components, including `CVE-2026-42831`, `CVE-2026-26108`, `CVE-2025-49742`, `CVE-2024-49031`, `CVE-2024-49065`, and `CVE-2026-35421`. The issues span Office document handling, Excel, the **Office Graphics** stack, the **Windows Graphics Component**, and **Windows GDI**, indicating broad exposure across common user-facing software used to process files and render content. Microsoft said `CVE-2026-42831` is a **heap-based buffer overflow** in Microsoft Office that can allow code execution when a user opens a malicious Office file. The flaw carries a **CVSS 7.8** score, requires user interaction, and is **not exploitable through the Preview Pane**; Microsoft also said it was **not publicly disclosed**, **not observed in the wild**, and assessed as **less likely to be exploited**, with a security fix available. The related advisories point to a recurring risk pattern in which crafted documents or graphics content can trigger code execution on victim systems, reinforcing the need to prioritize patching for Office and Windows rendering components.
May 25, 2026
Multiple Microsoft Excel Remote Code Execution Flaws Added to MSRC Update Guide
Microsoft added several **Microsoft Excel Remote Code Execution** entries to its Security Update Guide, including `CVE-2025-62556`, `CVE-2025-62564`, `CVE-2025-54896`, and `CVE-2025-59233`. The advisories identify the affected product as Microsoft Excel and classify each issue as a remote code execution vulnerability, indicating that successful exploitation could allow arbitrary code to run in the context of the targeted application. The referenced entries were published across multiple update cycles in 2025, with `CVE-2025-54896` appearing in September, `CVE-2025-59233` in October, and `CVE-2025-62556` and `CVE-2025-62564` in December. Microsoft provided the vulnerabilities through its MSRC Security Update Guide, but the referenced records did not include public synopses in the source material, leaving the CVE identifiers and product classification as the primary confirmed details.
May 25, 2026