Microsoft has released a security update for a critical out-of-bounds read vulnerability in Excel that could allow remote code execution—but the patch is not yet available for Mac users. Tracked as CVE-2025-54902, the flaw in Excel’s file-parsing logic can be triggered by opening a specially crafted spreadsheet, potentially handing attackers control of a targeted machine. While Windows and other platforms have received fixes, Microsoft confirmed that security updates for Office LTSC for Mac 2021 and 2024 are delayed and will be released “as soon as possible.”
The Microsoft Security Response Center (MSRC) advisory warns that the bug—an out-of-bounds read—may lead to code execution, making it a high-priority patch for enterprise IT and security teams. Attackers can exploit the vulnerability through phishing emails, shared documents, or drive-by downloads, and the widespread use of Excel magnifies the risk. Even a low-complexity exploit could serve as an initial access vector, allowing adversaries to gain a foothold in corporate networks.
What Is CVE-2025-54902?
CVE-2025-54902 is a memory-safety defect in the way Microsoft Excel parses spreadsheet files. When the software reads data from a malformed or excessively large file, it can access memory outside an allocated buffer—a classic out-of-bounds read. The advisory does not specify the exact file formats affected, but typical vectors include .XLSX, .XLSB, .XLS, or embedded objects. An attacker who successfully exploits the flaw can achieve code execution with the privileges of the logged-in user.
Out-of-bounds memory errors in Office components have a long history of being chained into full exploitation. While an out-of-bounds read alone often leaks information, it can be combined with other primitives—such as heap grooming or type confusion—to corrupt memory and hijack execution flow. This pattern has been observed in multiple Excel vulnerabilities disclosed throughout 2025, reinforcing the need for rapid patching.
How the Attack Works
The exploitation chain begins with a malicious document. An attacker crafts a spreadsheet that triggers the out-of-bounds read when opened or previewed in a vulnerable version of Excel. In many enterprises, email attachments or shared cloud files are common delivery methods. If a user opens the file, the parsing bug kicks in, and the attacker’s code runs with the user’s privileges. No additional authentication is needed, and the attack surface is massive—Excel is installed on hundreds of millions of devices globally.
Compounding the danger, some environments automatically render attachments or use server-side document processing (e.g., mail gateways, SharePoint previews). If those renderers are vulnerable, exploitation can occur without explicit user interaction, sliding the attack from interaction-required to a drive-by scenario. Once code execution is achieved, the attacker can deploy malware, establish persistence, and move laterally within the network.
Microsoft’s Advisory and Patch Availability
The MSRC advisory is the definitive source for patching guidance. It lists affected Excel builds for various servicing channels—Microsoft 365 Apps, Office LTSC, and perpetual versions—and directs administrators to install the latest security updates. For Windows and Office on other platforms, KB articles accompanying the patches provide specific build numbers. Organizations running Click-to-Run or MSI-based Office can verify patching status through registry keys or the About dialog.
However, the advisory carries a critical footnote: “The security update for Microsoft Office LTSC for Mac 2021 and 2024 are not immediately available.” Mac users remain exposed until the update ships. Microsoft says it will revise the CVE information once the patches are ready, but has not provided a timeline. In the interim, Mac administrators must rely on mitigations.
Third-party databases such as the NVD may not yet reflect CVE-2025-54902; indexing lag is common. Defenders should not wait for external confirmation—the vendor advisory is authoritative and actionable.
Why This Vulnerability Demands Urgent Action
- Document-triggered privilege: A single malicious file can open the door to the entire system. Phishing campaigns remain the number-one delivery mechanism for such threats.
- Code execution potential: Although the root cause is an out-of-bounds read, Microsoft explicitly warns that it “could result in remote code execution.” In corporate environments, that translates to ransomware, data theft, or espionage.
- Ubiquitous attack surface: Excel is a business-critical application; blocking it is rarely feasible. Attackers know this and weaponize parsing bugs for both targeted intrusions and mass malware distribution.
- Hard to detect: Parsing-level exploits often evade signature-based antivirus because the malicious payload is embedded in data structures rather than recognizable binaries. Behavioral analysis and endpoint detection are essential.
Immediate Mitigations for All Excel Users
Patching should be the top priority. Where immediate patching is not possible—and especially for Mac users awaiting the update—short-term controls can significantly reduce risk.
Enforce Protected View
Configure Office to open files from the internet or email attachments in Protected View. This sandboxes the document, preventing active content from running and limiting the exploit’s surface. Group Policy settings can force this behaviour:
- File Block Settings: Block opening of files from the internet zone.
- Protected View: Always open untrusted files in a restricted environment.
Apply Attack Surface Reduction (ASR) Rules
Microsoft Defender’s ASR rules can break common exploitation chains. Enable:
- “Block Office applications from creating child processes” (rule 75668DC2-606B-4625-AF17-0BB2FB0C6AA0)
- “Block Office applications from injecting code into other processes” (rule 3B5238F9-C55B-4E18-872E-178F6A0FF1B3)
These rules prevent Excel from spawning cmd.exe, PowerShell, or other tools used by attackers.
Disable Macros and Active Content
Macros should be disabled by default. Use Group Policy to enforce “Disable all macros without notification” except for digitally signed macros from trusted publishers. This reduces the attack surface from macro-laden documents, though CVE-2025-54902 is a parsing bug, not a macro vulnerability—macro-based attacks often accompany document exploits.
Application Allow-Listing
AppLocker or Windows Defender Application Control (WDAC) can block execution of unauthorized executables. Even if an exploit succeeds, the attacker’s ability to run payloads is drastically curtailed.
Patching Playbook for Enterprises
A structured rollout minimizes exposure window.
Inventory and Discovery
Use endpoint management tools (SCCM, Intune, Jamf) to enumerate Office installation versions. Map build numbers against Microsoft’s advisory to identify vulnerable endpoints. Maintain a worksheet with hostname, user, Office product name, build number, patch status, and expected remediation date.
Staged Deployment
- Test ring: Deploy the patch to a small set of non-critical systems and verify functionality.
- Pilot ring: Extend to high-risk business units—teams that frequently open external documents.
- Broad deployment: Push updates to the remaining enterprise.
Verification
Check installed build numbers post-patch. For Click-to-Run installations, query the registry:
HKLM\SOFTWARE\Microsoft\Office\ClickToRun\Configuration
For MSI-based installs, use wmic product get name, version or inspect the Add/Remove Programs list. The Office “About” dialog also displays the exact version.
Mac Users: Stay Vigilant
Until Microsoft delivers the Mac updates, centralise patching through MDM solutions and apply the mitigations above. Consider blocking .XLSX/.XLSB files from external sources on email gateways, or sandbox attachments for analysis before delivery.
Detection and Threat Hunting
Since signature-based tools may miss parsing exploits, behavioural detection is critical.
- EDR rules: Alert on Excel (excel.exe) spawning suspicious child processes—cmd.exe, powershell.exe, wscript.exe, cscript.exe, rundll32.exe.
- SIEM correlation: Look for Excel process start followed within 60 seconds by outbound network connections to unknown IPs or unusual DNS queries.
- Heuristics: Flag sudden creation of scheduled tasks, services, or registry autoruns within five minutes of an Excel process launch.
- Sample hunt queries:
- Process creation logs where
parent_process = excel.exeandchild_process IN (suspicious_list). - PowerShell commands from Excel origin containing base64 encoded payloads.
Beyond the Patch: Long-Term Hardening
- Least privilege: Users should run with standard accounts, not local admin rights. This limits the damage if code execution occurs.
- Application control: Enforce WDAC or AppLocker to restrict what can run.
- Mail gateway sandboxing: Detonate attachments in isolated environments before they reach inboxes.
- Continuous user education: Phishing simulations and awareness training reduce the likelihood of users opening malicious attachments.
- Automated patch cycles: Maintain a rapid emergency patch path for critical Office updates alongside regular Patch Tuesday cadences.
The Bigger Picture
CVE-2025-54902 is not an isolated incident. Throughout 2025, multiple Excel memory-safety defects—out-of-bounds reads, heap corruptions, use-after-free—have been patched, many with code execution impact. Complex file parsers remain a favourite target for vulnerability researchers and attackers alike. As exploit techniques mature, the window between disclosure and weaponization shrinks.
Public proof-of-concept code often appears within days of a patch release, and commodity malware families quickly incorporate new exploits. Security teams should not wait for a proof-of-concept before acting. The advisory alone is sufficient to justify an emergency patching sprint.
Action Checklist
- Patch immediately: Apply Microsoft’s Excel/Office security update on all supported platforms.
- For Mac users: Deploy mitigations (Protected View, ASR equivalents if available, app control) while awaiting the overdue patch.
- Enforce Protected View and disable macros via Group Policy or MDM.
- Activate ASR rules to block Office child processes.
- Hunt for signs of exploitation using EDR and SIEM queries.
- Verify patch rollout through centralised management and confirm build numbers.
- Communicate with users: Remind them not to open unexpected attachments or enable macros.
Microsoft’s advisory page for CVE-2025-54902 is the authoritative reference for patches and affected builds. Bookmark it and monitor for revision when the Mac updates are released.