CVE-2025-21364: Microsoft Excel Security Feature Bypass Vulnerability

Overview

Severity

High (CVSS 7.8)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Security Feature Bypass

Exploit Status

Not Exploited

Exploitation Likelihood

More Likely

Patch Tuesday

2025-Jan

Released

2025-01-14

Last Updated

2025-01-27

EPSS Score

0.24% (percentile: 47.5%)

FAQ

What kind of security feature could be bypassed by successfully exploiting this vulnerability? An attacker who successfully exploited this vulnerability could bypass Office macro policies used to block untrusted or malicious files. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send a user a malicious Office file and convince them to open it. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector.

Affected Products (4)

Microsoft Office

• Microsoft 365 Apps for Enterprise for 32-bit Systems
• Microsoft 365 Apps for Enterprise for 64-bit Systems
• Microsoft Office LTSC 2024 for 32-bit editions
• Microsoft Office LTSC 2024 for 64-bit editions

Acknowledgments

Anonymous

Revision History

• 2025-01-14: Information published.
• 2025-01-27: Added an FAQ to indicate that the Preview Pane is not affected for this CVE. This is an informational change only.