PatchSiren cyber security CVE debrief
CVE-2025-62554 Microsoft CVE debrief
CVE-2025-62554 is a Microsoft Office type confusion issue that can allow an unauthorized attacker to execute code locally. The record is scored CVSS 8.4 (HIGH) and maps to a broad set of Office products, including Office 2016/2019, Office LTSC 2021/2024, Microsoft 365 Apps, and Office on macOS and Android.
- Vendor
- Microsoft
- Product
- Microsoft 365 Apps for Enterprise
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-09
- Original CVE updated
- 2025-12-10
- Advisory published
- 2025-12-09
- Advisory updated
- 2025-12-10
Who should care
Endpoint, desktop, and application security teams that manage Microsoft Office deployments, especially environments running the affected Office editions and platforms listed in NVD.
Technical summary
The NVD entry and Microsoft advisory reference a CWE-843 condition (type confusion / access of a resource using an incompatible type). NVD assigns CVSS 3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a local attack path with no privileges or user interaction required and potentially high impact if the flaw is reached. The supplied NVD metadata links the issue to Microsoft’s advisory for CVE-2025-62554 and lists affected CPEs across Office 2016, Office 2019, Office LTSC 2021/2024, Microsoft 365 Apps, and Office on macOS and Android.
Defensive priority
High. Although the attack vector is local, the combination of no privileges, no user interaction, and high confidentiality/integrity/availability impact makes this a prompt patching item for any affected Office installation.
Recommended defensive actions
- Apply the Microsoft security update referenced in the MSRC advisory for CVE-2025-62554.
- Inventory Office installations to confirm whether any affected editions or platforms are present, including Office 2016/2019, Office LTSC 2021/2024, Microsoft 365 Apps, and any macOS or Android Office deployments.
- Prioritize remediation on endpoints where local code execution would be especially harmful, such as shared workstations or systems with broader access to sensitive data.
- Track the Microsoft advisory and NVD entry for any follow-up guidance or updated applicability details.
Evidence notes
Supplied official sources include the NVD CVE record and Microsoft’s MSRC advisory. The NVD metadata marks the vulnerability as analyzed, cites Microsoft as the vendor advisory source, lists CWE-843, and provides the CVSS vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The CVE was published on 2025-12-09 and modified on 2025-12-10 in the supplied timeline.
Official resources
-
CVE-2025-62554 CVE record
CVE.org
-
CVE-2025-62554 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed in the CVE record on 2025-12-09. The supplied NVD metadata was modified on 2025-12-10. No KEV listing is present in the supplied corpus.