Microsoft has released patches for two significant vulnerabilities in Microsoft Office that could allow attackers to execute malicious code on affected systems.

The flaws, tracked as CVE-2025-54910 and CVE-2025-54906, were disclosed on September 9, 2025, and affect various versions of the popular productivity suite.

While Microsoft has assessed exploitation as “less likely” for both vulnerabilities at this time, their potential for remote code execution warrants immediate attention from users and administrators.

The vulnerabilities differ in their exploitation methods and severity, with one being rated as Critical and the other as Important.

Critical Microsoft Office Vulnerabilities

The more severe of the two flaws, CVE-2025-54910, is a Critical-rated heap-based buffer overflow vulnerability.

This type of weakness, cataloged as CWE-122, can allow an unauthorized attacker to execute arbitrary code locally on a target machine. A particularly dangerous aspect of this vulnerability is that the Preview Pane in Microsoft Office serves as an attack vector.

This means that an attacker could potentially trigger the exploit without any interaction from the user beyond them simply receiving and viewing a malicious file in an Explorer window.

Although the attack is executed locally, the term “remote” in the vulnerability’s title refers to the attacker’s location, highlighting that they do not need prior access to the victim’s machine.

The second vulnerability, CVE-2025-54906, is rated as Important and stems from a Use-After-Free condition, tracked as CWE-416.

This flaw also permits remote code execution, but its exploitation vector differs significantly from the heap-based overflow. To exploit this vulnerability, an attacker must craft a malicious file and socially engineer the user into opening it.

Unlike the other flaw, the Preview Pane is not an attack vector for CVE-2025-54906, meaning the user must actively engage with the malicious content.

This requirement for user interaction is a key reason for its lower severity rating compared to the Preview Pane vulnerability.

Mitigations

Microsoft has released security updates to address these vulnerabilities for most affected software. The company advises customers to apply all updates offered for the software installed on their systems to ensure comprehensive protection.

It should be noted that security updates for Microsoft Office LTSC for Mac 2021 and 2024 are not immediately available but will be released shortly.

Microsoft will notify customers through a revision to the CVE information once these updates are ready. Given the serious nature of remote code execution flaws, users are strongly encouraged to install the patches as soon as possible to mitigate the risk of potential exploitation.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.