Cyber Resilience

CVE-2025-21354

High

Published: 14 January 2025

Published
14 January 2025
Modified
25 August 2025
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0129 80.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21354 is a high-severity Untrusted Pointer Dereference (CWE-822) vulnerability in Microsoft Office Long Term Servicing Channel. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 19.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

Microsoft Excel is affected by a remote code execution vulnerability, CVE-2025-21354, which carries a CVSS 3.1 score of 8.4 under the vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is linked to CWE-822 and enables arbitrary code execution on affected installations of the spreadsheet application.

An attacker with local access to a vulnerable system can trigger the flaw without credentials or user interaction, achieving full control over confidentiality, integrity, and availability of the host. The attack surface is therefore limited to scenarios where an adversary can already place or invoke malicious content locally.

The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21354 supplies official remediation details. Exploitation probability has stayed low, with the EPSS score reaching a peak of only 0.0173.

EU & UK References

Vulnerability details

Microsoft Excel Remote Code Execution Vulnerability

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The vulnerability is a client-side RCE in Microsoft Excel allowing arbitrary code execution with no user interaction, directly mapping to exploitation for client execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-20955Same product: Microsoft 365 Apps
CVE-2025-21381Same product: Microsoft 365 Apps
CVE-2026-26112Same product: Microsoft 365 Apps
CVE-2025-24083Same product: Microsoft 365 Apps
CVE-2026-26113Same product: Microsoft 365 Apps
CVE-2025-24081Same product: Microsoft 365 Apps
CVE-2025-21362Same product: Microsoft 365 Apps
CVE-2025-49697Same product: Microsoft 365 Apps
CVE-2026-40359Same product: Microsoft 365 Apps
CVE-2026-26109Same product: Microsoft 365 Apps

Affected Assets

microsoft
365 apps
all versions
microsoft
office
2019
microsoft
office long term servicing channel
2021, 2024
microsoft
office online server
≤ 16.0.10416.20047

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the Microsoft Excel RCE vulnerability stemming from CWE-822 untrusted pointer dereference by requiring timely application of vendor patches.

prevent

Implements memory safeguards such as ASLR and DEP that comprehensively mitigate exploitation of untrusted pointer dereference leading to arbitrary code execution.

prevent

Provides process isolation to limit the impact of RCE within the Excel instance, containing potential code execution to the application's execution domain.

References