CVE-2025-21394

High

Published: 11 February 2025

Published

11 February 2025

Modified

01 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0035 57.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21394 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Office Long Term Servicing Channel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked in the top 42.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the Use After Free vulnerability in Microsoft Excel through timely application of vendor-provided patches.

SI-16 Memory Protection partial match

prevent

Implements memory protections such as ASLR and DEP to mitigate exploitation of the Use After Free flaw during Excel file processing.

SI-3 Malicious Code Protection partial match

preventdetect

Deploys malicious code protection mechanisms to scan and block malicious Excel files prior to user interaction and execution.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

T1566.001 Spearphishing Attachment Initial Access

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.

attack.mitre.org →

Why these techniques?

The vulnerability is a client-side RCE in Excel triggered by opening a malicious file with user interaction, directly enabling T1204.002 (Malicious File under User Execution) and facilitating T1566.001 (Spearphishing Attachment) as a common delivery vector for such files.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Microsoft Excel Remote Code Execution Vulnerability

Deeper analysisAI

CVE-2025-21394 is a Remote Code Execution vulnerability affecting Microsoft Excel. Published on 2025-02-11, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-416 (Use After Free), though additional CWE details are unavailable from NVD.

The vulnerability can be exploited by a local attacker with low complexity and no required privileges, provided they can induce user interaction, such as opening a malicious Excel file. Successful exploitation allows arbitrary code execution in the context of the user, resulting in high impacts to confidentiality, integrity, and availability.

For mitigation details, refer to the official Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21394.

Details

CWE(s): CWE-416 NVD-CWE-noinfo

Affected Products

microsoft

365 apps

all versions

microsoft

excel

2016

microsoft

office

2019

microsoft

office long term servicing channel

2021, 2024

microsoft

office online server

≤ 16.0.10416.20058

CVEs Like This One

CVE-2025-21387Same product: Microsoft 365 Apps

CVE-2025-21386Same product: Microsoft 365 Apps

CVE-2026-20950Same product: Microsoft 365 Apps

CVE-2025-24082Same product: Microsoft 365 Apps

CVE-2026-26107Same product: Microsoft 365 Apps

CVE-2025-24081Same product: Microsoft 365 Apps

CVE-2025-21362Same product: Microsoft 365 Apps

CVE-2025-21383Same product: Microsoft 365 Apps

CVE-2025-21345Same product: Microsoft 365 Apps

CVE-2025-21392Same product: Microsoft 365 Apps

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21394
Patch, Vendor Advisory · secure@microsoft.com