Microsoft’s advisory for CVE-2026-45474 classifies the vulnerability as a remote code execution flaw in Microsoft Office, yet the CVSS attack vector is listed as local. This apparent contradiction often confuses security professionals. The advisory states that an attacker could exploit the vulnerability by sending a specially crafted Office file to a victim, who would then need to open it. In that scenario, the attacker is remote—perhaps on the other side of the world—but the technical exploitation occurs locally on the victim’s machine, hence the local vector. Defenders must understand this nuance to prioritize and mitigate effectively.

This vulnerability affects multiple versions of Microsoft Office, including the perpetual and subscription-based editions. While the exact components under attack were not initially detailed, typical Office RCE bugs target parsing engines in Word, Excel, or PowerPoint. A malicious document could leverage a memory corruption flaw, a logic error in macro handling, or a weakness in embedded objects. Because Office remains a ubiquitous productivity suite, such vulnerabilities are prime candidates for phishing campaigns and drive-by downloads.

Understanding the CVSS Attack Vector Paradox

The Common Vulnerability Scoring System (CVSS) defines the attack vector metric to indicate how the vulnerability is exploited. Network (N) means the attacker can exploit remotely over a network without physical or local access. Local (L) requires the attacker to either have local access to the target system, or the victim must perform an action that facilitates exploitation, such as opening a file. CVE-2026-45474 falls into the latter category. The attacker can craft and distribute a file from anywhere, but the final execution chain depends on a user action.

Security teams often filter vulnerabilities by attack vector, assuming that anything marked “local” has lower urgency. This CVE demonstrates why that assumption is dangerous. If an attacker can email a weaponized spreadsheet to thousands of employees, the remote delivery mechanism makes the threat just as severe as a network-exploitable flaw. In fact, user-interaction-dependent vulnerabilities are among the most exploited by real-world attackers because they bypass traditional perimeter defenses.

How the Exploit Works

Although Microsoft has not published the full technical details, standard Office exploitation techniques follow a predictable pattern. An attacker creates a malicious Office file—such as a .docx, .xlsx, or .pptx—containing exploit code. This could be embedded in an ActiveX control, a malformed record, or even a macro. When the victim opens the file, the flaw is triggered, allowing the attacker to execute arbitrary code with the privileges of the current user. If that user has administrative rights, the system is fully compromised.

Modern Office versions have several defense-in-depth features, such as Protected View, which opens documents from the internet in a sandbox with restricted capabilities. However, history shows that attackers find ways to bypass these protections. For CVE-2026-45474, the advisory likely notes that the Preview Pane is an attack vector, meaning merely selecting the file in Windows Explorer could trigger the vulnerability if the preview handler is enabled.

A typical attack flow:
- Attacker sends a spear-phishing email with a malicious attachment or a link to a file hosted on a cloud service.
- Victim downloads and opens the file.
- The vulnerability corrupts memory or bypasses security checks, leading to code execution.
- The payload may install malware, steal credentials, or move laterally.

Because the initial exploitation is local, endpoint detection and response (EDR) solutions have a window to block the payload. But if the exploit is zero-day, signature-based defenses may fail.

Affected Products and Mitigation

The advisory covers Microsoft Office 2019, Office 2021, Microsoft 365 Apps for Enterprise, and possibly older versions still under support. Server-side products like SharePoint or Office Online may also be impacted if they process Office documents in the same way. Microsoft typically coordinates patch releases on Patch Tuesday. Defenders should apply the update immediately, especially on systems where users frequently open documents from external sources.

For environments that cannot patch quickly, Microsoft may provide workarounds, such as disabling the Preview Pane or blocking Office document types at the email gateway. Security teams should consult the official advisory for configuration changes. Enforcing macro signing and disabling ActiveX controls can also reduce the attack surface.

Why This Matters for Defenders

CVE-2026-45474 forces a reassessment of risk prioritization. Many organizations heavily weight CVSS base scores and attack vector metrics when deciding which patches to deploy first. A “local” vector with a high severity score might be deprioritized compared to a “network” vector with a lower score. This CVE has a high severity rating (likely 7.8 or higher) and should be treated as an urgent patching priority because the downstream impact can be as devastating as a wormable network bug.

Moreover, the vulnerability highlights the blurred line between remote and local in modern workflows. Remote attackers routinely deliver local exploits via the internet. The CVSS framework is a useful tool, but operational threat context matters more. A vulnerability that requires user interaction but can be triggered from a remote source is a remote threat in every practical sense.

Microsoft’s Response

Microsoft’s Security Response Center (MSRC) assigned CVE-2026-45474 and released a security update through the standard channels. The advisory acknowledges the local attack vector while stressing the remote nature of the attacker. This distinction is crucial for compliance frameworks that require reporting on “remotely exploitable” vulnerabilities. Microsoft often adds clarifying language to help defenders understand the exploitation path.

The update likely corrects the underlying memory handling or input validation flaw. As with all Office updates, deployment can be done via Windows Update, Microsoft Update, or enterprise management tools like Configuration Manager. Because Office updates are cumulative, applying the latest build ensures protection against all known vulnerabilities.

For cloud-connected customers, click-to-run updates are automatic. Defenders should verify that update policies are not set to delay security patches unduly. If the organization uses third-party security scanners, they may need to check for the specific patch version to confirm remediation.

Defensive Strategies

Beyond patching, a layered defense is essential against Office-based threats. Email filtering should block common malicious attachment types, but attackers constantly adapt, using archive formats, password-protected files, or cloud links. User education remains a critical line of defense: teaching staff to recognize phishing attempts and to report suspicious emails.

Endpoint protection platforms (EPP) with behavior-based detection can stop exploits even when specific signatures are absent. Application control, such as Windows Defender Application Control (WDAC) or AppLocker, can prevent Office from spawning unusual child processes like PowerShell or cmd.exe—a common post-exploitation technique. Attack surface reduction (ASR) rules in Microsoft Defender for Endpoint specifically block Office applications from creating executable content, launching child processes, or injecting code.

For high-risk environments, consider using a dedicated document isolation or detonation service that opens attachments in a sandbox before delivering them to users. Disabling the Preview Pane and forcing Protected View for all downloaded documents adds an extra hurdle for attackers.

Table: Mitigation Actions and Effectiveness

Action Effectiveness Implementation Difficulty
Install Microsoft Update High – eliminates the vulnerability Low
Disable Preview Pane Medium – reduces exposure surface Low
Block Office macros from internet High – prevents many macro-based attacks Medium
Enable ASR rules High – blocks common exploit techniques Medium
Use application control High – prevents payload execution High
User awareness training Variable – depends on social engineering Medium
Isolate documents in sandbox High – catches zero-days High

The Bigger Picture: Office-Based Attacks

Office file formats are incredibly complex, with decades of legacy features that create a broad attack surface. Vulnerabilities like CVE-2026-45474 are discovered regularly. In recent years, we’ve seen malicious macros, DDE attacks, and Excel 4.0 macros resurge. Microsoft’s shift toward blocking macros by default has reduced the risk, but determined attackers pivot to new techniques.

The confusion over CVSS attack vectors is not new. In 2020, a similar debate surrounded CVE-2020-0609, a remote desktop vulnerability that required user interaction but was widely considered remotely exploitable. The cybersecurity community continues to refine how CVSS is applied, but defenders must look beyond a single metric.

For CVE-2026-45474, the key takeaway is that an attacker does not need to be on your network or have physical access to compromise your systems. A carefully crafted email is enough. Treat this vulnerability as a remote code execution threat in your threat model, and prioritize accordingly.

Looking Ahead

As we wait for more detailed technical analysis from security researchers, the immediate priority is patching. History shows that such vulnerabilities often get exploited in the wild within days of disclosure. If your organization is not yet patched, assume you are at risk. Check your Microsoft 365 update channel and ensure you are on a build that includes the fix.

This CVE also serves as a reminder to review how your team scores and prioritizes vulnerabilities. Integrate threat intelligence and real-world exploitability into your process. A vulnerability that’s “local” on paper but “remote” in practice should never slip through the cracks.