A recent Microsoft security advisory for Excel vulnerability CVE-2025-60727 comes with a puzzling label: "Remote Code Execution." But when defenders check the CVSS vector, they see "Attack Vector: Local" – a seeming contradiction that has confused IT teams for years. Microsoft has now addressed the mismatch directly in the advisory’s FAQ: “The word Remote in the title refers to the location of the attacker,” not the exploit trigger. The clarification is a critical reminder that vulnerability titles and CVSS metrics serve different purposes, and reading them together is essential to mount an effective defense.
The advisory that reignited the confusion
CVE-2025-60727 describes a memory-corruption flaw in Excel’s native parser. An attacker can craft a malicious workbook that, when opened by a victim, triggers arbitrary code execution in the context of the logged-on user. No macros are needed – the exploit relies solely on malformed file structures. In its Security Update Guide entry, Microsoft classifies the issue as a Remote Code Execution, yet the accompanying CVSS vector lists Attack Vector as Local (AV:L). The disconnect prompted the company to add a rare, direct explanation to the advisory page: “The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.”
This tension between headline impact and technical scoring isn’t unique to this CVE. Dozens of Office parsing bugs have carried the RCE label with AV:L, leaving administrators unsure how to prioritize them. Some automated triage systems have mistakenly flagged these as network-service vulnerabilities or, conversely, dismissed them as low-severity local problems. The updated FAQ is Microsoft’s attempt to bridge the gap for the many security teams who raised the question.
Why remote attackers still get a local severity score
The CVSS standard defines Attack Vector as the location where the vulnerable component is invoked at the moment of exploitation, not how the malicious data arrived on the machine. Four categories exist:
- Network (AV:N): The vulnerable component is accessible directly over a network, requiring no user interaction (e.g., a listening service).
- Adjacent (AV:A): Exploitation requires adjacency to the victim’s network (same subnet).
- Local (AV:L): The exploit must be triggered by local action – opening a file, running a program, or otherwise invoking the vulnerable code on the host.
- Physical (AV:P): Physical access to the device is necessary.
When a vulnerability exists in Excel’s binary parser, the code that crashes or corrupts memory runs inside the Excel process on the victim’s own machine. That trigger is local, even if the file traveled across the internet moments before. CVSS deliberately avoids counting the delivery mechanism in the Attack Vector metric to prevent double-scoring and to keep assessments consistent across varied attack chains. This why AV:L is standard for all client-side document-parsing flaws, no matter how they are delivered.
There is one important exception: if a vulnerable parser runs inside a network-accessible service – such as an email gateway that renders attachments for preview or an Office Online Server that processes documents on behalf of remote clients – then the attack vector can legitimately be scored as Network (AV:N). In those cases, an attacker can trigger the exploit without a target user opening a file locally, dramatically increasing exposure. Microsoft’s advisory for CVE-2025-60727 does not indicate server-side impact, so the AV:L rating applies.
What it means for home users vs. enterprise admins
For home users, the practical risk remains high. Despite the local trigger, the attack originates remotely – typically via a phishing email or a malicious download. The "Remote" in the CVE title is a blunt warning: a stranger can send you a weaponized Excel file that, if opened, takes over your machine. Keep your Office installation updated, avoid opening unsolicited attachments, and enable Protected View for files from the internet. These steps are your first line of defense.
Enterprise administrators face a subtler challenge. An AV:L rating does not mean the vulnerability is low risk. Because widespread delivery methods (email, shared cloud folders, compromised websites) make it trivial for attackers to get the malicious file onto target systems, these bugs are consistently exploited in the wild. A CVE labeled Remote Code Execution with AV:L should be treated as a high-priority patching item. If your organization uses any server-side document-rendering components, such as mail-scanning appliances, collaboration platforms with preview features, or Office Online Server, you must escalate remediation; those systems can expose the same parser flaw to unauthenticated remote attackers, effectively converting AV:L into AV:N.
Security operations centers that rely on automated ticketing from CVE data should also adjust their ingestion logic. Tools that parse only the CVE title may misclassify the threat, either overestimating network exposure or underestimating real-world exploitation risk. Ingest the full CVSS vector alongside the title, and always check the advisory body for statements about server-side impact and user interaction requirements. For CVE-2025-60727, the User Interaction metric is Required (UI:R), confirming that a user must open the file – a reminder that user education and endpoint hardening are critical.
A practical checklist for immediate defense
When a high-impact Office vulnerability with a "local" attack vector surfaces, turn this sequence into action:
- Patch immediately. Map the advisory’s KB numbers to your Office deployment channels (Click-to-Run, MSI, LTSC, Mac) and push updates through your management tools. Verify build numbers post-deployment.
- Harden endpoints. Enforce Protected View for all internet-originated files. Disable macros and ActiveX by policy where possible – many parser exploits do not rely on macros, but reducing the script execution surface still helps. Implement Attack Surface Reduction (ASR) rules to stop Office from spawning child processes or executing unsigned binaries.
- Lock down email handling. Block or sandbox attachments with risky file types (especially .xls, .xlsx, .xlsm). Disable automatic preview rendering for external messages, and route attachments through detonation services before delivery.
- Detect exploitation attempts. Tune EDR and SIEM tools to flag abnormal Office behavior: unexpected process creation, memory manipulation, or suspicious post-exploitation network connections. Deploy behavioral detections that look for Office-based exploitation chains, not just static file signatures.
- Inventory server-side parsers. Identify every service in your environment that programmatically opens Office documents – mail gateways, SharePoint, document management systems, custom applications. Prioritize patching on these hosts, and if the advisory later confirms server-side impact, treat those instances as critically exposed.
- Reduce the blast radius. Enforce least privilege: remove local admin rights for standard users, and apply credential protection (MFA, hardened authentication) to limit lateral movement if code execution occurs.
- Communicate with users. Warn end users about current phishing campaigns that may carry this exploit; remind them not to open unexpected attachments or enable editing on files from unknown sources.
What to watch in future advisories
Microsoft is unlikely to change the use of “Remote Code Execution” as a CVE title class, because it quickly signals the attacker’s origin and worst-case impact – a convention that has proven valuable for rapid triage. However, as security automation becomes more prevalent, the tension between concise labels and precise technical metrics will only grow. Expect more vendors to add clarifying notes like the one in CVE-2025-60727, and look for improved CVSS educational content aimed at defenders who must interpret both signals.
For now, the lesson is clear: never stop at the title. Read the entire advisory, verify the CVSS vector, and map the real exploitation path to your environment. An Office RCE that scores "local" is still remote enough to do serious damage.