Critical RCE Vulnerability in Microsoft 365 Apps Exposes Enterprises to Code Execution Attacks
A newly disclosed remote code execution (RCE) vulnerability in Microsoft 365 Apps, tracked as CVE-2025-60727, allows attackers to execute arbitrary code on target systems via malicious Excel documents. The flaw stems from an out-of-bounds read condition (CWE-125) in Excel’s file-parsing mechanism, enabling memory corruption and code execution under the logged-in user’s privileges.
The vulnerability affects a broad range of Microsoft Office products, including Microsoft 365 Apps (x86/x64), Excel 2016, Office 2019, Office LTSC 2021/2024, and Office Online Server, expanding the attack surface across enterprise and legacy environments. Exploitation occurs when Excel processes specially crafted spreadsheets (e.g., .xls or .xlsx files) with manipulated length and offset values, forcing the application to read memory outside allocated buffers. This can expose sensitive memory regions and redirect execution flow, leading to arbitrary code execution.
While exploitation requires user interaction such as opening a malicious file attackers commonly deliver payloads via phishing emails, file-sharing platforms, or drive-by downloads. Successful exploitation grants attackers the same privileges as the victim, enabling lateral movement, credential harvesting, or deployment of ransomware and information stealers. Though no in-the-wild exploitation or public proof-of-concept code has been confirmed, the vulnerability aligns with document-based intrusion techniques used in targeted campaigns.
Security teams are advised to monitor for suspicious behaviors, including Excel spawning child processes (e.g., cmd.exe, PowerShell, mshta.exe), unexpected outbound network connections from EXCEL.EXE, malformed documents with unusual OLE objects, or crash telemetry indicating access violations. Correlating endpoint, email gateway, and proxy logs can help detect exploitation attempts.
Microsoft has released security updates to patch CVE-2025-60727. Additional mitigations include enforcing Protected View for external files, blocking macros and external content via Group Policy, and enabling Attack Surface Reduction (ASR) rules to prevent Office applications from spawning child processes. Restricting Excel file downloads from untrusted sources and enhancing email filtering further reduces exposure risks. The flaw underscores the persistent threat posed by document-based attack vectors in enterprise workflows.
Source: https://gbhackers.com/microsoft-365-apps-rce-vulnerability/
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft
"id": "mic1782721445",
"linkid": "microsoft",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Broad range of enterprise and '
'legacy environments',
'industry': 'Software',
'location': 'Global',
'name': 'Microsoft',
'size': 'Enterprise',
'type': 'Technology Company'}],
'attack_vector': ['Phishing emails',
'File-sharing platforms',
'Drive-by downloads'],
'data_breach': {'file_types_exposed': ['Excel files (.xls, .xlsx)']},
'description': 'A newly disclosed remote code execution (RCE) vulnerability '
'in Microsoft 365 Apps, tracked as CVE-2025-60727, allows '
'attackers to execute arbitrary code on target systems via '
'malicious Excel documents. The flaw stems from an '
'out-of-bounds read condition (CWE-125) in Excel’s '
'file-parsing mechanism, enabling memory corruption and code '
'execution under the logged-in user’s privileges.',
'impact': {'identity_theft_risk': 'High (if credentials or PII are harvested)',
'operational_impact': 'Arbitrary code execution, lateral movement, '
'credential harvesting, ransomware '
'deployment, information theft',
'systems_affected': 'Microsoft 365 Apps (x86/x64), Excel 2016, '
'Office 2019, Office LTSC 2021/2024, Office '
'Online Server'},
'lessons_learned': 'The flaw underscores the persistent threat posed by '
'document-based attack vectors in enterprise workflows.',
'post_incident_analysis': {'corrective_actions': 'Security updates, ASR '
'rules, macro blocking, '
'Protected View enforcement',
'root_causes': 'Out-of-bounds read condition '
'(CWE-125) in Excel’s file-parsing '
'mechanism'},
'recommendations': ['Apply Microsoft security updates for CVE-2025-60727',
'Enforce Protected View for external files',
'Block macros and external content via Group Policy',
'Enable Attack Surface Reduction (ASR) rules',
'Restrict Excel file downloads from untrusted sources',
'Enhance email filtering'],
'references': [{'source': 'Microsoft Security Update'}],
'response': {'containment_measures': ['Enforcing Protected View for external '
'files',
'Blocking macros and external content '
'via Group Policy',
'Enabling Attack Surface Reduction '
'(ASR) rules'],
'enhanced_monitoring': ['Monitoring for suspicious behaviors '
'(e.g., Excel spawning child processes '
'like cmd.exe, PowerShell, mshta.exe)',
'Detecting unexpected outbound network '
'connections from EXCEL.EXE',
'Identifying malformed documents with '
'unusual OLE objects or crash telemetry'],
'remediation_measures': 'Microsoft has released security updates '
'to patch CVE-2025-60727'},
'title': 'Critical RCE Vulnerability in Microsoft 365 Apps Exposes '
'Enterprises to Code Execution Attacks',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2025-60727 (Out-of-bounds read condition - '
'CWE-125)'}