Critical Microsoft Office Vulnerabilities Allow Attackers to Execute Malicious Code

Microsoft has released patches for two significant vulnerabilities in Microsoft Office that could allow attackers to execute malicious code on affected systems. The flaws, tracked as CVE-2025-54910 and CVE-2025-54906, were disclosed on September 9, 2025, and impact various versions of the popular productivity suite. While Microsoft has assessed the likelihood of exploitation as “less likely” for both vulnerabilities at this time, their potential for remote code execution necessitates immediate attention from users and administrators. The vulnerabilities differ in their exploitation methods and severity, with CVE-2025-54910 rated as Critical and CVE-2025-54906 rated as Important. The more severe flaw, CVE-2025-54910, is a heap-based buffer overflow vulnerability that can allow an unauthorised attacker to execute arbitrary code locally on a target machine, particularly through the Preview Pane in Microsoft Office.

CVE-2025-54906, rated as Important, stems from a Use-After-Free condition and also permits remote code execution, but requires user interaction to exploit. An attacker must craft a malicious file and socially engineer the user into opening it, as the Preview Pane is not an attack vector for this vulnerability. Microsoft has released security updates to address these vulnerabilities for most affected software and advises customers to apply all updates to ensure comprehensive protection. Security updates for Microsoft Office LTSC for Mac 2021 and 2024 are not immediately available but will be released shortly. Users are strongly encouraged to install the patches as soon as possible to mitigate the risk of potential exploitation. 

Categories: Microsoft Office Vulnerabilities, Remote Code Execution, Security Updates 

Tags: Microsoft, Vulnerabilities, CVE-2025-54910, CVE-2025-54906, Remote Code Execution, Buffer Overflow, Use-After-Free, Security Updates, Exploitation, Mitigations