CVE-2025-62199 Microsoft CVE debrief

Who should care

Endpoint and patch-management teams responsible for Microsoft Office deployments, especially Microsoft 365 Apps, Excel 2016, Office LTSC 2021/2024, and Office on Android/macOS. It is also relevant for organizations that frequently receive or open external Office files.

Technical summary

Microsoft describes the flaw as a use-after-free in Office. The published CVSS vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) means an attacker needs local access and user interaction, but no privileges. NVD maps the weakness to CWE-416 and lists affected Office-related CPEs across multiple product variants.

Defensive priority

High. Apply Microsoft updates promptly, verify whether your specific Office builds match the affected CPEs in the NVD record, and prioritize systems that handle untrusted documents or shared files.

Recommended defensive actions

• Apply the Microsoft security update referenced in the MSRC advisory for CVE-2025-62199.
• Inventory Office LTSC 2021/2024, Microsoft 365 Apps, Excel 2016, and Office on Android/macOS to confirm exposure.
• Prioritize patching workstations and VDI images used to open external or shared Office documents.
• Until patched, reduce exposure to untrusted Office files and attachments using existing organizational controls.
• Recheck Microsoft guidance after updates; the CVE was modified on 2025-11-19, so confirm the latest advisory details before closing the ticket.

Evidence notes

This debrief is based on the official CVE/NVD records and the Microsoft MSRC advisory link provided in the corpus. NVD lists CWE-416 and CVSS v3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and the CPE list includes Microsoft 365 Apps enterprise, Excel 2016, Office for Android, and Office LTSC 2021/2024 variants. No KEV entry was supplied, so exploitation in the wild is not asserted here.

Official resources