CVE-2025-21354

High

Published: 14 January 2025

Published

14 January 2025

Modified

25 August 2025

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0173 82.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21354 is a high-severity Untrusted Pointer Dereference (CWE-822) vulnerability in Microsoft Office Long Term Servicing Channel. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 17.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the Microsoft Excel RCE vulnerability stemming from CWE-822 untrusted pointer dereference by requiring timely application of vendor patches.

SI-16 Memory Protection good match

prevent

Implements memory safeguards such as ASLR and DEP that comprehensively mitigate exploitation of untrusted pointer dereference leading to arbitrary code execution.

SC-39 Process Isolation partial match

prevent

Provides process isolation to limit the impact of RCE within the Excel instance, containing potential code execution to the application's execution domain.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability is a client-side RCE in Microsoft Excel allowing arbitrary code execution with no user interaction, directly mapping to exploitation for client execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Microsoft Excel Remote Code Execution Vulnerability

Deeper analysisAI

CVE-2025-21354 is a Remote Code Execution vulnerability in Microsoft Excel. Published on 2025-01-14, it carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-822 (Untrusted Pointer Dereference) along with NVD-CWE-noinfo.

The vulnerability can be exploited by a local attacker requiring low complexity, no privileges, and no user interaction. Successful exploitation enables the attacker to execute arbitrary code with high impacts on confidentiality, integrity, and availability within the affected Excel instance.

The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21354 provides details on mitigation, including available patches and recommended actions for security practitioners.

Details

CWE(s): CWE-822 NVD-CWE-noinfo

Affected Products

microsoft

365 apps

all versions

microsoft

office

2019

microsoft

office long term servicing channel

2021, 2024

microsoft

office online server

≤ 16.0.10416.20047

CVEs Like This One

CVE-2026-20955Same product: Microsoft 365 Apps

CVE-2025-21381Same product: Microsoft 365 Apps

CVE-2026-26112Same product: Microsoft 365 Apps

CVE-2025-24083Same product: Microsoft 365 Apps

CVE-2025-49697Same product: Microsoft 365 Apps

CVE-2026-26113Same product: Microsoft 365 Apps

CVE-2025-24081Same product: Microsoft 365 Apps

CVE-2025-21362Same product: Microsoft 365 Apps

CVE-2026-26109Same product: Microsoft 365 Apps

CVE-2025-21363Same product: Microsoft 365 Apps

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21354
Patch, Vendor Advisory · secure@microsoft.com