Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Microsoft Office Use-After-Free Remote Code Execution Vulnerability

IdentifiersCVE-2025-62557CWE-416· Use After Free

CVE-2025-62557 is a Microsoft Office memory-corruption vulnerability caused by a use-after-free condition in Office document parsing. Public reporting and Microsoft-linked summaries describe the flaw as allowing an unauthorized attacker to execute code locally in the context of the affected Office process when a specially crafted Office file, malicious link, or crafted email content is parsed. Multiple sources indicate Outlook Preview Pane is an attack vector, meaning exploitation may occur when a booby-trapped email is rendered or previewed, without the victim explicitly opening the attachment in the worst case. The vulnerability is rated Critical with CVSS v3.1 8.4, and public references characterize it as an Office/Outlook remote code execution issue despite the CVSS attack vector being local because the vulnerable parsing is typically reached through remotely delivered content such as phishing emails or shared documents.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows attacker-controlled code execution with the privileges of the logged-on user and the affected Office application. This can enable full compromise of the user session, including malware execution, data theft, credential access, persistence, and follow-on lateral movement, subject to the victim's privileges and endpoint controls. Where Preview Pane rendering is reachable, the impact is elevated because exploitation may require little or no user interaction beyond receipt or preview of a crafted email.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling or restricting Outlook Preview Pane and other automatic preview handlers for high-risk users, enforcing Office Protected View for files from the internet and untrusted sources, routing attachments through sandboxing/detonation, and using Attack Surface Reduction rules plus application control such as AppLocker or WDAC to block Office child-process execution. Additional mitigations include limiting user privileges, blocking or filtering suspicious attachments and links at the mail gateway, and monitoring for anomalous Office behavior such as Office processes spawning cmd.exe, powershell.exe, wscript.exe, or making unusual outbound network connections immediately after document or email rendering.

Remediation

Patch, then assume compromise.

Apply Microsoft's December 2025 security updates for all affected Microsoft Office products and channels, using the MSRC Security Update Guide to map CVE-2025-62557 to the correct KB, build, or release channel for the deployed SKU (for example Click-to-Run, MSI, Microsoft 365 Apps, Office 2016/2019/LTSC, and platform-specific releases). Prioritize systems that process untrusted Office content, especially Outlook clients and any servers or services that automatically parse or preview Office documents. Verify patch status against Microsoft-provided build numbers rather than third-party mirrors. Public reporting notes that updates for Office LTSC for Mac 2021 and 2024 were not yet available at initial disclosure, so administrators should monitor Microsoft for those releases and deploy them as soon as published.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft Corporation365 Appsapplication
Microsoft Corporation365 Copilotapplication
Microsoft CorporationOfficeapplication
Microsoft CorporationOffice 2016application
Microsoft CorporationOffice 2019application
Microsoft CorporationOffice 2021application
Microsoft CorporationOffice 2024application
Microsoft CorporationOffice Long Term Servicing Channelapplication
Microsoft CorporationOffice Macos 2021application
Microsoft CorporationOffice Macos 2024application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

24 SOURCESView more in app
flareio blogNews
Dec 17, 2025
From Patch to Exploit: Flare’s Intelligence on Cybercrime After December 2025 Patch Tuesday

A critical remote code execution vulnerability in Microsoft Office that can be exploited via the Outlook preview pane, allowing code execution with no user interaction. Exploitation is considered less likely, but the attack vector is significant.

Read more
rapid7 blogNews
Dec 10, 2025
Patch Tuesday - December 2025

A critical remote code execution vulnerability in Microsoft Office that can be exploited via the Preview Pane, potentially allowing code execution without user interaction.

Read more
arctic wolf blogNews
Dec 10, 2025
Microsoft Patch Tuesday: December 2025

A Microsoft Outlook remote code execution vulnerability caused by a use-after-free condition, potentially triggerable via malicious links/emails (including a no-user-interaction worst case as described).

Read more
arctic wolf blogNews
Dec 10, 2025
Microsoft Patch Tuesday: December 2025

A Microsoft Outlook remote code execution vulnerability caused by a use-after-free, potentially triggerable via a malicious link/email and in worst case without user interaction.

Read more
+13 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-62557
NVD
nvd.nist.gov/vuln/detail/CVE-2025-62557
MITRE CWE · CWE-416
Use After Free
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62557