CVE-2025-49695 Microsoft CVE debrief

Who should care

Microsoft Office and Microsoft 365 Apps administrators, endpoint security teams, patch management owners, and users of affected Office editions on Windows, macOS, and Android where applicable.

Technical summary

NVD classifies this issue as CWE-416 (use after free) with CVSS 3.1 vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The supplied NVD data marks multiple Microsoft Office product families as vulnerable, including Microsoft 365 Apps (enterprise x86/x64), Office 2016, Office 2019, Office Long Term Servicing Channel 2021/2024, and Office for Android/macOS variants listed in the CPE set. The vulnerability is described as enabling local code execution by an unauthorized attacker.

Defensive priority

High for endpoints and workstations running affected Microsoft Office installations.

Recommended defensive actions

• Review Microsoft’s security advisory for CVE-2025-49695 and confirm which installed Office products are in scope.
• Apply Microsoft’s security update guidance as soon as it is available for affected devices.
• Inventory Office versions across Windows, macOS, and Android endpoints to identify exposure.
• Prioritize remediation on systems where users can open untrusted content or where Office is widely used for business-critical workflows.
• Use standard endpoint hardening and least-privilege practices to reduce the impact of local code execution flaws.

Evidence notes

Based on the supplied NVD record and Microsoft advisory reference. NVD lists CVSS 3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, CWE-416, and vulnerable CPEs for Microsoft 365 Apps, Office 2016, Office 2019, Office LTSC 2021/2024, and Office for Android/macOS variants. The NVD reference set includes the Microsoft Security Response Center advisory. Published 2025-07-08 and last modified 2025-07-15 in the supplied timeline.

Official resources