CVE-2025-49696 Microsoft CVE debrief

Who should care

Security and IT teams managing Microsoft Office deployments, especially Microsoft 365 Apps enterprise, Office 2016/2019, Office LTSC 2021, Office LTSC 2024, and Office for Android/macOS where applicable.

Technical summary

The NVD record classifies CVE-2025-49696 as CWE-125 (out-of-bounds read), with Microsoft also listing CWE-122 as a secondary weakness. The published CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a locally exploitable issue with no privileges or user interaction required and potentially high impact if triggered in an affected Office installation. The NVD vulnerable CPE set includes Microsoft 365 Apps enterprise (x86/x64), Office 2016, Office 2019, Office LTSC 2021, and Office LTSC 2024 across x86/x64 and macOS variants, plus Office for Android.

Defensive priority

High

Recommended defensive actions

• Install the Microsoft update referenced in the vendor advisory for CVE-2025-49696.
• Prioritize remediation on endpoints running the affected Office editions and channels listed in the NVD record.
• Verify that Microsoft 365 Apps enterprise, Office 2016/2019, Office LTSC 2021/2024, and any deployed Office for Android/macOS builds are covered by the applicable update.
• Track Microsoft and NVD updates for any change in vulnerability scope or remediation guidance.

Evidence notes

This debrief is based on the supplied NVD record and the Microsoft Security Response Center advisory linked from that record. The CVE was published on 2025-07-08 and modified on 2025-07-15. The supplied corpus does not include a CISA KEV entry or any confirmed ransomware association.

Official resources