Microsoft has recently addressed two significant security vulnerabilities in its Office suite, identified as CVE-2025-54910 and CVE-2025-54906. These flaws, disclosed on September 9, 2025, affect various versions of Microsoft Office and pose potential risks of remote code execution.
CVE-2025-54910: Heap-Based Buffer Overflow
CVE-2025-54910 is a critical-rated vulnerability stemming from a heap-based buffer overflow, classified under CWE-122. This flaw allows unauthorized attackers to execute arbitrary code locally on a target machine. Notably, the Preview Pane in Microsoft Office serves as an attack vector, enabling exploitation without user interaction beyond viewing a malicious file in an Explorer window. This means that simply previewing a compromised document could trigger the exploit, emphasizing the severity of this vulnerability.
CVE-2025-54906: Use-After-Free Condition
The second vulnerability, CVE-2025-54906, is rated as important and arises from a use-after-free condition, cataloged as CWE-416. This flaw also permits remote code execution but requires user interaction. An attacker must craft a malicious file and persuade the user to open it. Unlike CVE-2025-54910, the Preview Pane is not an attack vector for this vulnerability, necessitating active engagement with the malicious content. This requirement for user interaction contributes to its lower severity rating compared to the previous vulnerability.
Mitigation Measures
Microsoft has released security updates to address these vulnerabilities for most affected software versions. Users are strongly encouraged to apply all available updates to ensure comprehensive protection. It’s important to note that security updates for Microsoft Office LTSC for Mac 2021 and 2024 are not immediately available but will be released shortly. Microsoft will notify customers through a revision to the CVE information once these updates are ready. Given the serious nature of remote code execution flaws, prompt installation of these patches is crucial to mitigate potential exploitation risks.
