PatchSiren cyber security CVE debrief
CVE-2025-49702 Microsoft CVE debrief
CVE-2025-49702 is a Microsoft Office type-confusion vulnerability with a high-severity CVSS 3.1 score of 7.8. According to the NVD record and Microsoft advisory, an unauthorized attacker can trigger local code execution on affected systems, but user interaction is required.
- Vendor
- Microsoft
- Product
- Microsoft 365 Apps for Enterprise
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-07-08
- Original CVE updated
- 2025-07-16
- Advisory published
- 2025-07-08
- Advisory updated
- 2025-07-16
Who should care
Administrators and defenders responsible for Microsoft 365 Apps and Office deployments listed in the NVD record, including Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Office for Android, should treat this as a priority patch item.
Technical summary
The NVD entry maps this issue to CWE-843 (type confusion) and assigns CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The affected CPEs in the record span Microsoft 365 Apps (x86 and x64), Office 2016 (x86 and x64), Office 2019 (x86 and x64), Office LTSC 2021 (x86, x64, macOS), Office LTSC 2024 (x86, x64, macOS), and Office for Android. The practical impact is local code execution on a vulnerable endpoint after a user interacts with crafted content.
Defensive priority
High. The issue can give an attacker full confidentiality, integrity, and availability impact on affected endpoints, and Office is a common attack surface in enterprise environments.
Recommended defensive actions
- Apply the Microsoft security update referenced in the MSRC advisory for CVE-2025-49702 as soon as possible.
- Inventory Office versions and channels across endpoints to identify installations matching the vulnerable CPEs in the NVD record.
- Prioritize patching for systems that regularly open untrusted documents or handle external content.
- Use attachment and document controls, least privilege, and application hardening to reduce exposure while patching is underway.
- Verify remediation against the Microsoft update guide and monitor for any vendor follow-up guidance or revisions.
Evidence notes
This debrief is based only on the supplied NVD record, which states the vulnerability is analyzed, lists Microsoft as the vendor, and provides the CVSS vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The record also cites Microsoft security advisory https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49702 and identifies CWE-843 as the weakness. The CVE was published on 2025-07-08 and modified on 2025-07-16. No KEV entry was included in the supplied enrichment.
Official resources
-
CVE-2025-49702 CVE record
CVE.org
-
CVE-2025-49702 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed on 2025-07-08 and last modified on 2025-07-16. No KEV listing was provided in the supplied enrichment.