Microsoft has disclosed a critical remote code execution vulnerability in its Office ecosystem that can be exploited through a malicious Excel file.
The vulnerability, tracked as CVE-2025-60727, affects multiple versions of Microsoft Office and underscores the continued risk posed by document-based attack techniques commonly used in phishing campaigns.
The issue is classified as an out-of-bounds read vulnerability (CWE-125). It exists in the way Microsoft Excel processes specially crafted file structures.
When a malicious Excel document is opened, the application may read memory outside the intended buffer. This improper memory access allows attackers to influence how the application behaves, ultimately enabling execution of arbitrary code on the target system.
The vulnerability impacts a wide range of Microsoft products, including Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Office Online Server.
Since these products are widely used across enterprise and personal environments, the potential attack surface is significant.
Microsoft 365 Apps RCE Vulnerability Exploit
Exploitation of CVE-2025-60727 requires user interaction, as the victim must open a malicious Excel file.
However, the attack does not require authentication or elevated privileges. This makes it particularly effective in phishing scenarios, where attackers trick users into opening seemingly legitimate documents.
For instance, a threat actor may send an email disguised as a business report or invoice containing a weaponized Excel attachment. Once opened, the file can trigger the vulnerability and execute malicious code in the background.
The root cause of the flaw lies in insufficient validation of length and offset values during Excel file parsing. When Excel processes a malformed file, it reads beyond allocated memory boundaries.
Attackers can carefully design the file structure to control this behavior, using the exposed memory to manipulate execution flow and run malicious instructions within the Excel process.
Successful exploitation gives attackers the same level of access as the current user. This can lead to data theft, malware installation, persistence mechanisms, and full-system compromise, affecting confidentiality, integrity, and availability.
In enterprise environments, such access can also be used as a foothold for lateral movement. Detection of exploitation attempts relies on monitoring unusual behaviors associated with Excel. Security teams may observe Excel spawning unexpected child processes such as command shells or scripting engines.
Suspicious outbound network connections initiated by Excel shortly after opening a document can also indicate compromise. In some cases, systems may generate crash reports or access violations related to Excel when processing malformed files.
Microsoft has released security updates to address this vulnerability, and organizations are strongly advised to apply these patches immediately.
Keeping Microsoft 365 Apps updated through the Click-to-Run channel and deploying the latest security updates for standalone Office versions is essential.
Additional mitigation steps include enforcing Protected View for files originating from external sources, blocking macros and external content, and enabling security controls such as Attack Surface Reduction rules.
According to SentinelOne, restricting Excel files from untrusted sources and strengthening email filtering can reduce exposure.
The vulnerability was first published in the National Vulnerability Database on November 11, 2025, and updated on June 17, 2026.
Although there are currently no public reports of active exploitation, the technique aligns closely with well-known phishing and document-based attack methods, making it a high-risk issue that organizations should not ignore.
