Redazione RHC : 12 September 2025 08:16
On September 9, 2025, two significant vulnerabilities were discovered in Microsoft Office, for which dedicated patches were created. These vulnerabilities, if exploited by attackers, could allow malicious code to be executed on affected systems. The vulnerabilities, identified as CVE-2025-54910 and CVE-2025-54906, have raised security concerns for users, as they affected various versions of the popular productivity suite.
While Microsoft currently deems these vulnerabilities unlikely to be exploited, the potential for remote code execution requires urgent action by users and system administrators. These vulnerabilities are at risk for user security.
Due to these vulnerabilities, identified as CVE-2025-54910 and CVE-2025-54906, user security is at risk, as they affect several versions of the popular productivity suite. Although Microsoft currently considers exploitation of these vulnerabilities unlikely, the possibility of remote code execution requires prompt action by users and administrators.
The two vulnerabilities differ in both their exploitation methods and severity, with one classified as Critical and the other as Important. The most severe flaw, designated CVE-2025-54910, is a critical heap buffer overflow vulnerability.
This vulnerability, classified as CWE-122, could allow an attacker to execute arbitrary code locally on a target machine. A particularly dangerous aspect of this vulnerability is that the Microsoft Office preview pane serves as an attack vector.
This means that an attacker could potentially trigger the exploit without any user interaction, other than receiving and viewing a malicious file in an Explorer window. The second vulnerability, CVE-2025-54906, is rated high and stems from a Use-After-Free condition, tracked as CWE-416.
This flaw also allows remote code execution, but its exploitation vector differs significantly from the heap-based overflow. To exploit this vulnerability, an attacker must create a malicious file and trick the user into opening it using social engineering.
Unlike the other flaw, the preview pane is not an attack vector for CVE-2025-54906, which means the user must actively interact with the malicious content. This need for user interaction is a key reason why it’s rated lower than the Preview Pane vulnerability.
Microsoft has released security updates to address these vulnerabilities for most affected software. The company recommends customers apply all updates offered for the software installed on their systems to ensure full protection.
The vulnerabilities identified in Microsoft Office, CVE-2025-54910 and CVE-2025-54906, pose a significant threat to user security, potentially allowing malicious code to run on affected systems. While Microsoft currently considers these vulnerabilities unlikely to be exploited, it is critical to promptly apply released security patches to mitigate the risk.
Redazione