Microsoft has rolled out crucial patches for two high-severity buffer over-read vulnerabilities in Microsoft Word and Excel, both enabling local attackers to extract sensitive memory contents. The flaws, tracked as CVE-2025-53736 (Word) and CVE-2025-32704 (Excel), underscore a persistent attack surface in Office’s complex document parsing code. Administrators are urged to apply the vendor’s updates immediately and implement layered mitigations to reduce exposure.

CVE-2025-53736, detailed in Microsoft’s Security Update Guide, is a Word information-disclosure vulnerability caused by a buffer over-read. When a specially crafted document is opened or previewed, the parser reads beyond allocated memory, leaking potentially valuable data such as credentials, memory addresses that defeat Address Space Layout Randomization (ASLR), or other secrets. Microsoft advises that user interaction is required, but the prevalence of phishing and malicious attachments makes the threat tangible. The flaw is particularly concerning because Word’s preview handlers in Outlook and Explorer can trigger the over-read without a user explicitly opening the file, expanding the attack surface.

CVE-2025-32704, disclosed in the National Vulnerability Database, is a buffer over-read in Microsoft Office Excel that allows a local attacker to execute code. Though classified as an information‑disclosure bug by some sources, Microsoft’s advisory and CVSS scoring indicate a more severe impact: a local attacker with low privileges can achieve code execution, with a CVSS 3.1 base score of 7.8 (high). Affected products include Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, and Office LTSC 2021 and 2024 across 32-bit and x64 systems.

The anatomy of a buffer over-read

Buffer over-reads (CWE‑126 or CWE‑125) occur when a program reads data beyond the boundary of an allocated buffer, returning memory that the application never intended to expose. Unlike buffer overflows that may enable code injection, over-reads primarily leak data. However, that leaked data can be leveraged to bypass modern security mitigations.

For instance, leaked heap or stack contents may contain pointers that reveal the memory layout, effectively neutering ASLR. In other cases, authentication tokens, private keys, or fragments of sensitive documents may be exposed. Even a small leak can be chained with other vulnerabilities to escalate an attack from a simple read to full remote code execution.

In Office applications, the risk is amplified by the sheer variety of file formats and embedded objects Word and Excel must parse. RTF, DOCX, XLSX, and legacy binary formats all rely on intricate parsing routines that historical bugs have frequently shown to be brittle. When a malformed document reaches one of these parsers, the outcome can range from a crash to a silent leak of process memory.

Why document previews raise the stakes

Both Word and Excel integrate deeply with Windows Explorer and Outlook. The Preview Pane and thumbnail handlers allow users to see document contents without a full open. However, these previewers often run within the same process space as the full application, meaning a crafted file selected or displayed in a preview can trigger the vulnerable code path with no additional user action.

Microsoft has documented multiple Office vulnerabilities in recent years that are exploitable via the Preview Pane. CVE-2025-53736 explicitly fits this pattern: an attacker sends a malicious document via email, the recipient merely clicks on the message in Outlook, and the over-read fires as the preview renders. For the Excel flaw, a similar mechanism could apply if the file is previewed in Explorer or opened by a script.

Real-world exploitation scenarios

Phishing remains the most likely delivery vector. An attacker crafts a document that contains a carefully malformed structure designed to trigger the over-read. The document is attached to an email disguised as an invoice, report, or urgent internal communication. When the victim previews or opens it, the parser over-reads memory. In an information-dislosure scenario, the leaked data must be exfiltrated—perhaps via an embedded web beacon or a second-stage macro—but advanced attacks can stitch these steps together seamlessly.

In multi-user environments like virtual desktop infrastructure (VDI) or shared workstations, a local adversary with limited privileges could place the malicious file in a shared folder. Another user’s Word or Excel session, perhaps running with higher privileges, might inadvertently process the file, leaking secrets to the attacker.

Severity and urgency

Microsoft has not publicly assigned a CVSS score to CVE-2025-53736, but the advisory emphasizes it as an important information-disclosure issue. The Excel flaw, CVE-2025-32704, carries a CVSS 3.1 score of 7.8 (high) from NIST and 8.4 (high) from Microsoft, reflecting the code-execution vector. Both flaws fit a broader trend of memory-safety bugs in Office that enable multi‑stage attacks. Administrators should treat them as high-priority patches.

Who is affected?

For CVE-2025-32704, the affected configurations are well‑documented:
- Microsoft 365 Apps for Enterprise (32‑bit and x64)
- Microsoft Excel 2016 (all editions)
- Microsoft Office 2019 (all editions)
- Microsoft Office LTSC 2021
- Microsoft Office LTSC 2024

Microsoft’s advisory page for CVE-2025-53736 should be consulted for the exact Word builds and KB numbers. In general, any supported version of Word that receives security updates is likely affected.

Immediate mitigation checklist

  1. Apply patches: Check the MSRC entries for both CVEs (CVE‑2025‑53736 and CVE‑2025‑32704) to obtain the specific KB articles and build numbers. Deploy through Windows Update, WSUS, SCCM, or Intune.
  2. Disable Preview Pane: In Outlook, turn off the Reading Pane (View → Reading Pane → Off). In File Explorer, toggle off the Preview Pane (View → Preview Pane). Enforce these settings via Group Policy or Intune policies.
  3. Enforce Protected View: Ensure Protected View is enabled for all files originating from the internet, email attachments, and unsafe locations. This sandboxes the document and limits the impact of a successful exploit.
  4. Remove admin rights: Users should operate with standard user privileges. This blunts the impact of local exploitation, as many post-exploitation actions require administrative access.
  5. Enable Attack Surface Reduction (ASR) rules: Use Windows Defender or Endpoint Protection to activate rules that block Office applications from creating child processes, injecting code, or launching suspicious content.
  6. Sandbox attachments: For high-risk users (finance, HR, executives), route email attachments through a sandboxing service or content disarm and reconstruction (CDR) tool that strips active content before delivery.

Enterprise patching playbook

  • Inventory: Scan all endpoints for Office installations. Identify update channels—Current Channel, Monthly Enterprise Channel, Semi-Annual Enterprise Channel, LTSC—as patch availability may vary.
  • Prioritize: Patch externally facing systems, remote worker devices, VDI pools, and hosts used by privileged accounts first. Shared workstations are also high priority because local attacks are more feasible.
  • Test: Deploy patches to a pilot group that reflects your critical Office workflows, including integrations with document management systems, custom add-ins, and macros.
  • Rollout: Use a phased deployment, monitoring for application compatibility issues. If a patch causes regressions, open a case with Microsoft but keep mitigations in place.
  • Verify: After rollout, confirm that the correct KB/build numbers are installed. Many compliance frameworks require documented evidence of patch status.

Detection and monitoring

While specific signatures for these CVEs may not yet be publicly available, behavior-based detection can catch exploitation attempts:
- Monitor for winword.exe or excel.exe crashing unexpectedly during document parsing. Collect crash dumps and stack traces for forensic analysis.
- Alert on Office processes spawning unexpected child processes (e.g., cmd.exe, powershell.exe), a common sign of exploit chains.
- Watch for network connections originating from Office applications shortly after opening untrusted documents.
- Use endpoint detection and response (EDR) tools to correlate Office crashes with subsequent access to credential stores (LSASS dumps, token manipulation).

Long-term hardening strategies

Beyond the immediate patches, organizations should adopt practices that reduce the attack surface of Office documents:
- Migrate to evergreen update channels to receive security fixes rapidly.
- Enable application control (AppLocker or Windows Defender Application Control) to restrict what binaries Office processes can launch.
- Deploy macro‑free policies and block active content in documents from the internet.
- Conduct regular phishing simulations that include malicious document attachments, training users to recognize and report suspicious files.
- Implement network segmentation to limit lateral movement if a workstation is compromised.

The bigger picture

Memory‑safety bugs continue to plague productivity software. Both CVE‑2025‑53736 and CVE‑2025‑32704 are rooted in parsing logic that fails to validate input sizes. While Microsoft’s Security Development Lifecycle has driven many improvements, the legacy code in Office remains a target. For security teams, these disclosures reinforce the need for defense in depth: patching is critical, but so are architectural decisions that minimize the impact of a single exploited machine.

As PoCs or detailed technical analyses emerge, red teams and threat hunters will have more precise indicators. For now, the safest course is immediate patching and aggressive configuration hardening. The combination of a patched Office suite, disabled preview features, and strict application controls can render these vulnerabilities nearly impossible to exploit in a well‑defended environment.