Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Microsoft Office Use-After-Free Remote Code Execution Vulnerability

IdentifiersCVE-2025-62199CWE-416· Use After Free

CVE-2025-62199 is a Microsoft Office remote code execution vulnerability caused by a use-after-free condition in Microsoft Office. The available reporting indicates that exploitation is triggered by a specially crafted malicious Office file, with user interaction typically required to download and open the file. Multiple sources in the provided content also note that the Outlook Preview Pane may be a viable trigger path, meaning exploitation may occur when a user previews a malicious email or attachment rather than explicitly opening the document. Successful exploitation results in arbitrary code execution in the context of the affected Office application on the vulnerable workstation.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow arbitrary code execution on the victim system in the security context of the user running the affected Office application. This can enable installation of malware, theft or manipulation of data accessible to that user, and establishment of further footholds on the host. Because the flaw is document-driven and may be reachable via the Preview Pane, it is suitable for phishing and email-borne intrusion scenarios and could be used as an initial access vector.

Mitigation

If you can’t patch tonight, do this now.

Until patches are fully deployed, reduce exposure by blocking or quarantining untrusted Office attachments, restricting delivery of documents from external sources, and hardening Office document handling. Enable Protected View for files originating from email, the internet, or network locations. Use Microsoft Defender Attack Surface Reduction rules to block Office applications from creating child processes where operationally feasible. Limit use of the Outlook Preview Pane for untrusted mailflows if possible, and monitor for suspicious Office child-process creation, abnormal document handling, and phishing activity targeting Office users.

Remediation

Patch, then assume compromise.

Apply the Microsoft security update released for CVE-2025-62199 as part of the November 2025 Patch Tuesday. Prioritize patching all supported Microsoft Office installations, especially endpoints used for email handling and document processing. Ensure Office, Outlook, and related components are updated through normal enterprise patch management channels and verify successful deployment across affected workstations.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft Corporation365 Appsapplication
Microsoft Corporation365 Copilotapplication
Microsoft CorporationExcelapplication
Microsoft CorporationOfficeapplication
Microsoft CorporationOffice 2016application
Microsoft CorporationOffice 2021application
Microsoft CorporationOffice 2024application
Microsoft CorporationOffice Long Term Servicing Channelapplication
Microsoft CorporationOffice Macos 2021application
Microsoft CorporationOffice Macos 2024application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
expel blogNews
Jan 14, 2026
Patch Tuesday: January 2026 (Expel’s version) | Expel

A remote code execution vulnerability in Microsoft Office.

Read more
rewterzNews
Nov 21, 2025
Threat Actor Claim to Sell a Microsoft Office 0-Day RCE Exploit - Rewterz

A Microsoft remote code execution vulnerability that Microsoft addressed in its November 2025 Patch Tuesday, mentioned to contrast with an alleged unpatched Office 0-day.

Read more
bank info securityNews
Nov 13, 2025
Breach Roundup: UK Probes Chinese-Made Electric Buses

A use-after-free vulnerability in Microsoft Office that could enable remote code execution via malicious documents.

Read more
govinfosecurityNews
Nov 13, 2025
Breach Roundup: UK Probes Chinese-Made Electric Buses

A use-after-free vulnerability in Microsoft Office that could enable remote code execution via malicious documents.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-62199
NVD
nvd.nist.gov/vuln/detail/CVE-2025-62199
MITRE CWE · CWE-416
Use After Free
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62199
vicarius.io
vicarius.io/vsociety/posts/cve-2025-62199-detect-microsoft-office-rce-vulnerability
vicarius.io
vicarius.io/vsociety/posts/cve-2025-62199-mitigate-microsoft-office-rce-vulnerability