PT-2025-1240 · Microsoft · Office+4
Jeongmin Choi
+4
·
Published
2025-01-14
·
Updated
2025-07-01
·
CVE-2025-21365
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Microsoft Office versions prior to the fixed version
Microsoft 365 Apps for Enterprise versions prior to the fixed version
Description
The issue is related to the use of an unreliable path search in Microsoft Office and Microsoft 365 Apps for Enterprise. This allows an attacker to execute arbitrary code. The vulnerability affects Word, PowerPoint, and Outlook. It is described as a logic bug that includes built-in process control and built-in PV bypass.
Recommendations
For Microsoft Office versions prior to the fixed version, update to the fixed version to resolve the issue.
For Microsoft 365 Apps for Enterprise versions prior to the fixed version, update to the fixed version to resolve the issue.
As a temporary workaround, consider restricting the use of built-in processes and PV until a patch is available.
Fix
RCE
Untrusted Search Path
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
365 Apps For Enterprise
Office
Outlook
Office Powerpoint
Office Word