CVE-2025-47164 Microsoft CVE debrief

Who should care

Organizations running supported Microsoft Office installations, especially endpoints that use Office 2016/2019, Office LTSC 2021/2024, Microsoft 365 Apps for enterprise, or Office on Android/macOS. Endpoint security, patch management, and IT teams should prioritize this alongside other client-side code execution issues because exploitation could yield high-impact local code execution without requiring privileges or user interaction per the CVSS vector.

Technical summary

The published weakness is a use-after-free condition (CWE-416) in Microsoft Office. Per the NVD/Microsoft data, the CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a local attack path with no privileges and no user interaction required, and potentially complete compromise of confidentiality, integrity, and availability on the affected system. The source corpus does not provide additional exploitation details beyond the vulnerability class and affected Office product CPEs.

Defensive priority

High. The combination of local code execution potential, no privileges required, no user interaction required, and high confidentiality/integrity/availability impact warrants prompt patching of affected Office installations and validation that update channels are functioning as expected.

Recommended defensive actions

• Apply Microsoft security updates for CVE-2025-47164 as soon as they are available for your affected Office product line.
• Inventory endpoints and mobile/macOS assets to identify installations matching the affected Office CPEs listed in the NVD entry.
• Prioritize systems used by privileged users, developers, and administrators, since successful local code execution can have outsized impact on those endpoints.
• Verify Microsoft update compliance in endpoint management tooling and remediate any devices that missed the June 10, 2025 disclosure window.
• Monitor Microsoft’s advisory for any revision to affected versions or remediation guidance.

Evidence notes

All claims are limited to the supplied official corpus. The CVE description states 'Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.' The NVD metadata gives CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, weakness CWE-416, and lists affected CPEs for Microsoft 365 Apps for enterprise, Office 2016, Office 2019, Office LTSC 2021 (Windows and macOS), Office LTSC 2024 (Windows and macOS), and Office for Android. The Microsoft advisory link is the only vendor reference provided.

Official resources