Cyber Resilience

CVE-2025-21365

HighLPE

Published: 14 January 2025

Published
14 January 2025
Modified
01 July 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0073 73.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21365 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Microsoft 365 Apps. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked in the top 27.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Deeper analysis

Microsoft Office contains a remote code execution vulnerability tracked as CVE-2025-21365. The flaw carries a CVSS 3.1 score of 7.8 with the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and is associated with CWE-426. It affects Microsoft Office components and permits an attacker to execute arbitrary code when specific local conditions are met.

An attacker can exploit the issue by supplying a malicious file or document that a user opens on a vulnerable system. Because the attack requires user interaction but no prior privileges, successful exploitation grants the attacker full control over confidentiality, integrity, and availability on the affected host.

Microsoft has published official guidance and remediation details for CVE-2025-21365 at the Microsoft Security Response Center advisory page. The current EPSS score of 0.0073 with a recorded peak of 0.0103 reflects persistently low exploitation probability since disclosure.

EU & UK References

Vulnerability details

Microsoft Office Remote Code Execution Vulnerability

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

The vulnerability is exploited by tricking a user into opening a malicious Office document, which directly maps to T1204.002 Malicious File and results in RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21364Same product: Microsoft 365 Apps
CVE-2026-20956Same product: Microsoft 365 Apps
CVE-2025-26629Same product: Microsoft 365 Apps
CVE-2025-21397Same product: Microsoft 365 Apps
CVE-2026-20949Same product: Microsoft 365 Apps
CVE-2025-21363Same product: Microsoft 365 Apps
CVE-2026-21514Same product: Microsoft 365 Apps
CVE-2025-24077Same product: Microsoft 365 Apps
CVE-2026-20944Same product: Microsoft 365 Apps
CVE-2025-21392Same product: Microsoft 365 Apps

Affected Assets

microsoft
365 apps
all versions
microsoft
office long term servicing channel
2024

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by requiring timely patching of Microsoft Office to remediate the untrusted search path flaw.

preventdetect

Deploys anti-malware tools to scan and prevent execution of malicious Office documents exploiting the untrusted search path.

prevent

Enforces secure configuration settings for Microsoft Office, such as safe DLL search mode, to restrict loading from untrusted paths.

References