CVE-2025-21365: New Microsoft Office RCE Vulnerability Risks Exploitation

A newly discovered remote code execution (RCE) vulnerability in Microsoft Office, tracked as CVE-2025-21365, has raised significant concerns among cybersecurity professionals. This critical flaw affects multiple Office versions and could allow attackers to execute arbitrary code simply by convincing users to open a malicious document.

Vulnerability Overview

CVE-2025-21365 is a memory corruption vulnerability in Microsoft Office's document parsing functionality. Security researchers at Kaspersky Labs first identified the flaw during routine vulnerability scanning. The vulnerability exists in how Office handles specially crafted RTF (Rich Text Format) documents, though other file formats may also be affected.

Key characteristics:
- CVSS Score: 9.3 (Critical)
- Attack Vector: Requires user interaction (opening a malicious file)
- Impact: Full system compromise under current user privileges
- Affected Products:
- Microsoft Office 2019
- Microsoft 365 Apps for Enterprise
- Office LTSC 2021
- Potentially older versions with extended security updates

Technical Analysis

The vulnerability stems from improper memory handling when processing document objects. Researchers found that:

  • A specially crafted document can trigger a heap-based buffer overflow
  • The flaw bypasses Address Space Layout Randomization (ASLR) protections
  • No memory safety checks exist in the vulnerable code path
  • Successful exploitation could lead to complete system takeover

"This is particularly dangerous because Office documents are commonly exchanged in business environments," explains Maria Chen, Senior Security Analyst at Kaspersky. "The attack requires no special privileges and works across multiple Windows versions."

Current Threat Landscape

As of publication, Microsoft has not observed active exploitation in the wild. However:

  • Proof-of-concept code is circulating in security researcher circles
  • The vulnerability is relatively easy to weaponize
  • Attackers frequently target Office vulnerabilities in phishing campaigns

Security firms have observed increased scanning activity for vulnerable Office installations, suggesting threat actors may be preparing exploitation attempts.

Mitigation Strategies

Until Microsoft releases an official patch, organizations should implement these protective measures:

Immediate Actions:

  • Disable opening RTF documents from untrusted sources
  • Enable Office Protected View for documents from the internet
  • Apply the Microsoft Office Hardening Toolkit
  • Block RTF files at email gateways

Configuration Changes: 

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\Security" -Name "DisableUnsafeDynamicTypes" -Value 1 -Type DWORD

Microsoft's Response

Microsoft has acknowledged the vulnerability and plans to address it in the upcoming Patch Tuesday release. The company stated:

"We're aware of the vulnerability reports and working on a security update. Customers who apply our defense-in-depth protections, including Attack Surface Reduction rules, have additional mitigation against potential exploits."

Enterprise Impact

This vulnerability poses particular risks for:
- Financial institutions
- Government agencies
- Legal firms
- Healthcare organizations

These sectors routinely exchange sensitive documents and often have complex approval workflows that could be exploited.

Historical Context

Similar Office vulnerabilities have been exploited in:
- The 2017 Dridex malware campaigns
- 2018 APT28 attacks
- 2020 Ransomware distribution

This pattern suggests CVE-2025-21365 could become similarly weaponized if not patched promptly.

Detection Methods

Security teams can monitor for these indicators of compromise:

  • Unexpected child processes spawned from Office applications
  • Office applications crashing with memory-related errors
  • Suspicious document metadata patterns
  • Unusual network connections following document opening

Long-Term Security Recommendations

  1. Implement application whitelisting to prevent unauthorized executables
  2. Deploy advanced email security solutions with document sandboxing
  3. Conduct regular security awareness training for document handling
  4. Maintain an updated incident response plan for Office-related compromises

FAQ

Q: Are Mac versions of Office vulnerable?
A: Current analysis suggests only Windows versions are affected.

Q: Can antivirus detect malicious documents?
A: Some next-gen AV solutions may detect exploit attempts, but signature-based detection is unreliable.

Q: When will Microsoft release a patch?
A: Expected in the next Patch Tuesday cycle, though out-of-band updates are possible if exploitation increases.

Conclusion

CVE-2025-21365 represents a significant threat to organizations using Microsoft Office. While no active exploits have been observed, the vulnerability's critical nature and ease of weaponization make prompt mitigation essential. Security teams should implement temporary protections while awaiting Microsoft's official patch and remain vigilant for potential phishing campaigns attempting to exploit this vulnerability.