Cyber Resilience

CVE-2023-32029

High

Published: 14 June 2023

Published
14 June 2023
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.4033 97.4th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-32029 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Microsoft Excel. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Microsoft Excel contains a remote code execution vulnerability tracked as CVE-2023-32029. The flaw is an out-of-bounds read (CWE-125) that affects the application's handling of specially crafted spreadsheet files and carries a CVSS 3.1 base score of 7.8.

An attacker can exploit the issue by convincing a user to open a malicious Excel document on a local system. Because the attack vector requires user interaction but no privileges or additional authentication, successful exploitation grants the attacker the ability to execute arbitrary code with the privileges of the current user, resulting in full confidentiality, integrity, and availability impact.

Microsoft has published security updates addressing the vulnerability through its update guide, and Cisco Talos has released a detailed technical analysis (TALOS-2023-1730) that includes indicators for detection and verification of the fix.

The EPSS score for this CVE currently stands at 0.4033, indicating a moderate and stable probability of exploitation in the wild.

EU & UK References

Vulnerability details

Microsoft Excel Remote Code Execution Vulnerability

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
365 apps
all versions
microsoft
excel
2013, 2016
microsoft
office
2019
microsoft
office long term servicing channel
2021
microsoft
office online server
all versions

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References