Microsoft has released emergency security updates to patch a significant information-disclosure vulnerability in Microsoft Excel, tracked as CVE-2025-54901, that can expose sensitive process memory contents when a user opens a specially crafted spreadsheet. While Windows and mainstream Office update channels are already receiving the fix, administrators managing Microsoft Office LTSC for Mac 2021 and 2024 installations are being told the patch isn't immediately available, leaving those systems exposed until a revised CVE update ships.
The vulnerability, classified as a buffer over-read, resides in Excel’s file-parsing engine. An attacker can embed malformed data structures inside an XLS, XLSX, or XLSB file—or even inside embedded OLE objects—to trigger an out-of-bounds read during rendering. Successful exploitation causes Excel to read beyond the allocated memory buffer and leak heap or stack contents, potentially revealing sensitive runtime information such as memory layout pointers, heap addresses, and other secrets. While the flaw does not directly allow code execution, the disclosed memory map can be weaponized by attackers to bypass Address Space Layout Randomization (ASLR) and construct more reliable exploit chains that escalate to remote code execution.
Microsoft’s Security Update Guide classifies the issue as “Important” and notes that user interaction is required for exploitation: the victim must open or preview a malicious file. That interaction vector lowers the urgency for automated worm-style attacks but does little to diminish the risk in targeted spear-phishing campaigns—historically the most common delivery mechanism for Office-based threats. Corporate finance, HR, and IT departments that regularly handle Excel attachments are particularly attractive targets.
Memory Disclosure: The Danger Beneath the Surface
A buffer over-read occurs when software fails to properly validate the boundaries of a data buffer before reading from it. In Excel’s document parsing routines, complex binary record structures are deserialized into in-memory objects. If an attacker manipulates length fields, type indicators, or sequence counters inside the file, the parser can be coerced into reading memory beyond what was originally allocated. That excess data gets processed as if it were legitimate content, and traces of it may be returned in error messages, reflected in output values, or leaked through side channels.
The immediate consequence—information disclosure—is often underestimated. Modern memory-safe exploit chains depend on precise knowledge of where code and data reside in memory. ASLR randomizes those locations on every boot, making it much harder for attackers to predict target addresses. A reliable info-leak primitive strips away that randomness, enabling deterministic exploitation of other bugs such as use-after-free, type confusion, or heap overflows. Security researchers have long documented this “disclosure → layout calculation → code execution” pattern across Office, Adobe Reader, and browser components.
In the context of CVE-2025-54901, attackers can craft a workbook that causes Excel to read out-of-bounds during routine operations like recalculating formulas, rendering charts, or processing shape metadata. The exact affected code paths will be detailed in Microsoft’s private advisory, but publicly available patterns from similar 2025 Excel CVEs point to nesting errors in compound document streams or incorrect handling of BIFF record lengths in legacy XLS formats.
Affected Products and the Mac Patch Gap
Microsoft’s advisory does not enumerate every build publicly in its abstract, deferring instead to the dynamic Security Update Guide interface where administrators are expected to map their servicing channels. Practically, the following configurations are in scope:
- Microsoft 365 Apps for enterprise (Current Channel, Monthly Enterprise Channel, Semi-Annual Enterprise Channel)
- Office 2021 (Retail and Volume Licensed)
- Office 2019
- Office LTSC 2021 and 2024 (Windows and Mac)
- Office Online Server (used in SharePoint and Exchange attachment preview)
However, the MSRC page for CVE-2025-54901 carries a blunt note: “The security update for Microsoft Office LTSC for Mac 2021 and 2024 are not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information.” This means Mac users—particularly those in enterprise environments who rely on the LTSC editions for stability and long-term servicing—must implement compensating controls while they wait.
This delay is not unprecedented. Apple’s platform-specific sandboxing and notarization requirements sometimes introduce additional validation cycles for Office patches. Still, for zero-day and close-to-zero-day scenarios, even a few days of exposure can be dangerous. Threat actors actively monitor CVE publications and may reverse-engineer the Windows patch to build exploits for unpatched Mac targets.
How Attackers Will Weaponize the Flaw
Successful exploitation requires a victim to open or preview a malicious Excel file. Common delivery vectors include:
- Spear-phishing emails containing weaponized attachments disguised as invoices, reports, or urgent HR documents.
- Shared cloud drives (OneDrive, SharePoint, Dropbox) where a compromised account or malicious insider places the file.
- Web downloads from legitimate-looking sites, often bundled with software or disguised as templates.
- Embedded OLE objects inside other Office documents (e.g., a Word file linking to a crafted Excel sheet).
Once the file is opened, the parser triggers the out-of-bounds read. In a pure information-disclosure attack, an attacker might exfiltrate the leaked memory directly if they can observe process output—though Office’s sandboxing and Protected View make this nontrivial. More realistically, the leak is a stepping stone. For example, an attacker could combine CVE-2025-54901 with a separate heap corruption vulnerability: first use the over-read to identify heap chunk sizes and allocation patterns, then groom the heap to place attacker-controlled data adjacent to a function pointer, and finally trigger the corruption to hijack execution.
Because Microsoft’s advisories for 2025 have described a steady stream of memory-safety bugs in Office, skilled attackers may already possess—or quickly develop—zero-day chains that pair an information leak like this one with an unreleased code-execution bug. Defenders must assume that exploitation of CVE-2025-54901 in isolation is unlikely; rather, it will be part of a multi-staged attack.
Immediate Remediation for Windows and Cloud-Based Office
For most organizations, the path to safety is straightforward:
-
Retrieve the patch. Visit the Microsoft Security Update Guide for CVE-2025-54901 and locate the Knowledge Base (KB) article or package identifier specific to your Office servicing channel. For Microsoft 365 Apps, the fix is delivered through the normal Click-to-Run update mechanism. For MSI-based installations (e.g., Office 2019, LTSC), you'll need to download and deploy the standalone .msp update from the Microsoft Update Catalog.
-
Deploy urgently. Use Microsoft Endpoint Configuration Manager, Windows Server Update Services, or Intune to push the update to all workstations and servers running Excel. For high-value assets (executive laptops, finance terminals, servers processing untrusted documents), consider emergency change-control procedures to accelerate rollout.
-
Verify installation. Post-deployment, confirm that the Excel build number matches the KB article’s expected version. In Excel, go to File → Account → About Excel. Compare the version against the patched build listed in the advisory.
-
For Office Online Server and SharePoint preview scenarios, apply the server-side updates immediately. These are often overlooked but can expose the vulnerability without any user interaction when automated document conversion or preview generation occurs.
Interim Mitigations for Mac LTSC and Delayed Updates
Until Microsoft releases the Mac updates, affected users should implement layered defenses:
- Enforce Protected View. Configure Office to always open files from the internet and untrusted locations in read-only, sandboxed mode. This greatly reduces the attack surface because the parser is restricted in what memory it can access. In Excel preferences, under File Block Settings, enable opening and saving of legacy formats.
- Disable attachment preview in Outlook. Disable the preview pane for Excel attachments and ensure automatic download of external content is blocked. In Outlook for Mac, navigate to Preferences → Reading and uncheck “Show preview.”
- Apply Attack Surface Reduction rules. If your Mac endpoints are managed via Microsoft Defender for Endpoint or a mobile device management (MDM) profile, enable ASR rules that prevent Office apps from spawning child processes, creating executable content, or injecting code into other processes. Even if the memory leak is triggered, these rules can halt an attempted exploit chain before code execution occurs.
- Restrict macros and ActiveX. Set macro security to “Disable all macros with notification” and disable ActiveX controls entirely. While this CVE does not require macros, reducing complexity limits other potential attack vectors that could be chained.
- Use Office for the web as a safe preview. Before opening an untrusted Excel file, view it in Excel Online through a browser. Many parsing bugs are only exploitable in the desktop application, so web-based preview adds a valuable isolation layer.
- Sandbox attachments. Route all Excel attachments through a cloud-based or on-premises detonation chamber that opens and inspects files in a hardened virtual environment. Products like Microsoft Defender for Office 365 Safe Attachments can intercept and analyze before delivery.
Detection and Threat Hunting
Because file-based attacks can be easily re-encoded to evade signature detection, defenders should focus on behavioral indicators:
- Monitor Excel processes for suspicious child creation. In your EDR or SIEM, trigger alerts when excel.exe spawns cmd.exe, powershell.exe, wscript.exe, or mshta.exe. These are rarely needed for legitimate Excel operations and often mark the beginning of a post-exploit phase.
- Watch for unusual network connections. After a malicious document is opened, the attacker may attempt to phone home. Look for network activity from Excel to newly registered domains, dynamic DNS services, or IP addresses with poor reputation.
- Detect file write patterns. An exploit trying to drop a payload may write .exe, .dll, or .ps1 files into %APPDATA%, %TEMP%, or system directories. Monitor for such write operations from Excel.
- Capture memory dumps for forensic analysis. If you have proactive memory monitoring (e.g., via Microsoft Defender for Endpoint’s live response), snapshot the Excel process if it crashes or behaves abnormally after opening a file. The dump can later be analyzed for signs of out-of-bounds reads—look for string fragments, pointer values, or heap metadata in places they shouldn’t be.
For immediate hunting, the following SPL/KQL pseudocodes can serve as a starting point (adapt to your platform):
// EDR query: Excel spawning a child process within 5 seconds of file open
FileOpenEvent by excel.exe
| join kind=inner (ProcessCreateEvent where ActorFileName == "excel.exe" and TargetFileName != "")
on MachineId within 5s
| where TargetFileName contains "cmd.exe" or TargetFileName contains "powershell.exe"
Operational Playbook for Security Teams
- Inventory and assess. Pull an accurate inventory of all Office installations, noting specific edition (Retail, Volume Licensed, LTSC), platform (Windows, Mac), and servicing channel. Map these to the MSRC affected product list.
- Expedite patch deployment. For every platform where a fix is available, push the update as an emergency change. Prioritize endpoints that handle external attachments or are used by high-risk users.
- Implement interim controls on unpatched systems. On all Mac LTSC installations (and any Windows machines that cannot be immediately updated), enforce Protected View, disable preview handlers, restrict macros, and turn on ASR rules.
- User awareness communication. Issue a brief, non-technical advisory warning users not to open unexpected Excel files, especially those arriving via email from unknown senders. Remind them to forward suspicious attachments to IT for analysis.
- Hunt aggressively. Run the behavioral detections described above across your fleet for the next 72 hours. Treat any alert where Excel spawned an unusual child process as a potential incident and initiate triage.
- Preserve evidence. If you identify a suspicious file or a compromised host, isolate the machine, capture a forensic memory dump of the Excel process, secure the original attachment file, and export relevant EDR timeline logs before initiating remediation.
The Bigger Picture: Persistent Document Parser Risks
CVE-2025-54901 is not an isolated incident. Throughout 2025, Microsoft has addressed multiple memory‑safety bugs in Excel—use‑after‑free, heap overflows, and out‑of‑bounds reads—that share a common root: legacy file‑parsing code written in memory‑unsafe languages. Each month’s Patch Tuesday seems to bring another “Crafted Workbook” CVE. The pattern underscores a structural challenge: Office document formats are immensely complex, supporting decades of backward compatibility, and attackers have learned to fuzz them mercilessly.
For defenders, the lesson is clear. Patching must be swift and comprehensive. But because code‑execution chains often rely on multiple vulnerabilities, a defense‑in‑depth posture remains essential. Aggressive adoption of ASR rules, application allow‑listing, and endpoint detection coverage can contain damage even when a zero‑day information leak like CVE-2025-54901 is combined with an unknown bug. Microsoft’s own guidance has increasingly pushed customers toward these layered controls.
What’s Next for Mac Users?
Microsoft has committed to delivering the Mac LTSC update “as soon as possible.” Security teams should monitor the CVE-2025-54901 MSRC page for revisions. Until the update appears, assume that any Mac running Office LTSC is vulnerable and should operate under the mitigations detailed above. When the patch does arrive, roll it out with the same urgency as you would a zero‑day fix—because by then, the public disclosure window will have widened, and exploit code may already be circulating.
For now, the most effective step any organization can take is to install the available patches on Windows and cloud platforms without delay. The information leaked by CVE-2025-54901 may be invisible, but its value to attackers is anything but.