Administrators scrambling to lock down Microsoft Excel against a newly disclosed code execution vulnerability have hit a snag: the security updates for Office LTSC for Mac 2021 and 2024 are not yet available. Microsoft’s advisory for CVE-2025-54904, a use‑after‑free flaw in Excel, confirms an attacker who convinces a victim to open a malicious spreadsheet can execute code locally. While Windows and other Office editions receive patches through Microsoft’s normal release channels, Mac users on the Long Term Servicing Channel have been told to wait.

“The security update for Microsoft Office LTSC for Mac 2021 and 2024 are not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information,” the Microsoft Security Response Center states on the advisory page.

The delay leaves a gap in protection for enterprises that rely on the Mac versions of Office for critical workflows. Here is what you need to know about the vulnerability, the missing patches, and how to defend your systems in the interim.

A New Excel Memory Corruption Flaw Emerges

CVE-2025-54904 surfaced in early August through Microsoft’s Security Update Guide. The advisory describes a use-after-free (UAF) condition in Microsoft Office Excel. The official description is terse: “A use-after-free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.” That one line packs a punch. Local code execution means an attacker who successfully exploits this flaw can run arbitrary commands with the privileges of the logged-on user. On machines where the user has administrator rights, the consequences can be catastrophic—complete system takeover, data exfiltration, or ransomware deployment.

This vulnerability is part of a recurring pattern. Throughout 2025, Microsoft has published multiple advisories for memory-corruption bugs in Excel. Use-after-free, buffer overflows, and other memory safety issues continue to haunt the product. The root cause often lies in Excel’s complex parsing engines, which must handle formulas, charts, ActiveX controls, OLE objects, and a myriad of file formats stretching back decades. That attack surface is wide, and each parsing routine represents a potential entry point for an attacker who crafts a malicious document.

Third-party vulnerability aggregators like Feedly and CVE Details quickly ingested the CVE identifier and the short description. However, at the time of this writing, the National Vulnerability Database (NVD) and other scoring authorities had not yet assigned a CVSS severity score. This is a common timing gap—vendor advisories frequently appear days or weeks before NVD enrichment completes. For CVE-2025-54904, the lack of a numeric score does not imply low severity. Historical Excel UAF vulnerabilities in 2025 have typically landed in the CVSS 7.8 range (high), with a local attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. Until a formal score is published, IT teams should treat this CVE with the same urgency as other critical Office memory-corruption bugs.

What Microsoft’s Advisory Confirms

The authoritative source for this vulnerability is the Microsoft Security Update Guide entry at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54904/. The page is rendered dynamically with JavaScript, which means automated scanners that do not execute scripts may miss the full list of affected products and patch KB numbers. A human review is necessary to map the vulnerability to your specific Office installations.

From the advisory, we know the following:
- The vulnerability type is use-after-free.
- The impact is local code execution.
- The attack vector requires user interaction (opening a crafted file).
- For most Windows and Office 365 editions, security updates are available through the usual update channels (Microsoft Update, WSUS, etc.).
- Patches for Office LTSC for Mac 2021 and 2024 are delayed, with no firm delivery date beyond “as soon as possible.”

Microsoft does not disclose exploitation status in the advisory. At the initial release, no public proof-of-concept code was circulating in mainstream exploit repositories. However, the pattern after such disclosures is clear: exploit developers can reverse-engineer the patch or patch diffs, and working exploits often surface within days. Organizations should not wait for public POCs to take action.

Technical Breakdown: Use-After-Free in Excel

A use-after-free vulnerability occurs when a program frees a block of memory but retains a pointer to that freed region. If the program later writes to or reads from that pointer, the behavior is undefined. An attacker who can control the timing of memory allocations and deallocations can often reclaim that freed memory with malicious data. When the dangling pointer is used, the attacker’s data may be treated as a valid object, leading to memory corruption, control-flow hijacking, and eventually arbitrary code execution.

Exploiting a UAF in Excel typically involves crafting a spreadsheet that triggers the bug during file opening, rendering, or recalculation. For CVE-2025-54904, the description “execute code locally” strongly suggests that the attacker must convince a user to open a malicious .xlsx, .xlsb, or .xls file. This could arrive via email attachment, shared network folder, or instant message. Once opened, the flawed parsing logic frees an object but later references it, and the attacker’s controlled data fills the memory gap at just the right moment.

Defenders should note that this class of bug does not require macros to be enabled. The vulnerability lives in Excel’s core parsing code, so the mere act of opening a file—even in Protected View—could trigger the flaw if the view does not fully isolate the parsing engine. That said, Windows Protected View does add a significant safety net by sandboxing the document and disabling active content, which can make exploitation more difficult but not impossible.

Affected Products and the Mac LTSC Gap

The exact list of affected Office versions and builds is enumerated only on Microsoft’s dynamic advisory page. Based on past Excel UAF advisories, it is reasonable to expect that many supported versions of Microsoft Office, including Office 2019, Office 2021, Microsoft 365 Apps, and potentially older still-supported suites, are vulnerable. The specific KB numbers for Windows updates will appear on the same page once you select your product.

For Mac users on the LTSC track, the situation is different. The advisory explicitly states that security updates for Office LTSC for Mac 2021 and 2024 are not immediately available. This is unusual and raises the stakes for organizations that have deployed these versions precisely for their long-term stability and predictable update cadence. The delay likely stems from separate build pipelines for Mac LTSC, but Microsoft has not provided technical reasoning.

Until the Mac updates arrive, those systems are fully vulnerable to CVE-2025-54904. Given that many enterprises use Mac LTSC in isolated or sensitive environments—finance, legal, engineering—the risk is not trivial.

The Exploitation Playbook

Attackers who successfully exploit this vulnerability can run code with the same rights as the current user. In a typical enterprise scenario:
- A targeted email campaign delivers an Excel file that looks like an invoice or report.
- The recipient opens the file, and the exploit chain triggers silently.
- The attacker gains a foothold: a reverse shell, a download cradle for second-stage malware, or direct execution of a ransomware payload.
- If the user has local administrator privileges, the attacker can disable security tools, steal credentials, and move laterally.

The user-interaction requirement means that the initial attack must be tailored to the victim, but social engineering remains a highly effective vector. External feeds and OSINT sources have not yet reported active exploitation in the wild, but the window between advisory publication and widespread attacks is often measured in days, not weeks.

Immediate Mitigations and Workarounds

For Windows and cloud-connected Office installations, patching is the top priority. Use the Microsoft Update Catalog, WSUS, or Configuration Manager to deploy the updates that correspond to your Office version. Verify that the patching covers every instance—especially those on Remote Desktop Services hosts or virtual desktop infrastructure where multiple users share the same Office installation.

For systems where patching cannot happen immediately, or for Mac LTSC machines awaiting the delayed update, layer these compensating controls:

  • Enable Protected View. Force Excel to open files from the internet and untrusted locations in Protected View. While not a complete fix, it reduces the attack surface by restricting many active features.
  • Block malicious attachments at the email gateway. Strip or quarantine Excel files with macros and use file type filters for .xls, .xlsb, .xlsm, and .xlsx from external sources. Combine with deep content inspection where possible.
  • Enforce application allow-listing. Use AppLocker or Windows Defender Application Control to prevent Excel from spawning unusual child processes (cmd.exe, powershell.exe, wscript.exe) even if a bug is triggered. This breaks common post-exploitation techniques.
  • Run users with least privilege. Remove local admin rights from end users. A code execution bug that lands as a standard user cannot disable security software or access system-wide credentials without a separate privilege escalation.
  • Strengthen endpoint detection. Tune EDR rules to flag process creation from Excel.exe to suspicious binaries, unusual network connections, or memory injection patterns. Increase logging verbosity on high-value targets.
  • User awareness. Remind employees to verify unexpected attachments through out-of-band communication before opening. Encourage the use of SharePoint, OneDrive, or other secure file-sharing platforms instead of email attachments.

For Mac LTSC specifically, since the patch is not yet available, these compensating controls become your primary defense. Isolate critical Mac systems from untrusted document workflows if possible, and consider routing all external spreadsheets through a hardened Windows or cloud-based rendering service that is already patched.

Long-Term Defenses Against Office Memory Bugs

CVE-2025-54904 is a symptom of a deeper challenge: the Office codebase, with its decades-long history, remains fertile ground for memory-safety bugs. While Microsoft has invested heavily in exploit mitigations (Control Flow Guard, Arbitrary Code Guard, etc.) and sandboxing, the sheer volume of legacy parsing code means that UAFs and buffer overflows will continue to appear. Organizations can reduce their risk posture permanently with these strategies:

  • Adopt a Zero Trust approach for documents. Never trust a file merely because it comes from a known sender. Implement content disarm and reconstruction (CDR) solutions that strip active content and rebuild Office files into safe, flat versions.
  • Move document processing to the cloud. Use Office Online Server or Azure-based rendering services to open and process untrusted files in isolated containers. Expose only the rendered output to users.
  • Harden endpoint configurations. Apply Windows security baselines, enable all available Office security features (macro blocking, protected view, file block settings), and use Exploit Protection to add per-application mitigations.
  • Proactive fuzzing and vulnerability research. If your organization develops or integrates Office add-ins, invest in fuzz testing your components. Many third-party extensions introduce their own memory bugs that interact with Excel’s core.
  • Incident response playbooks. Prepare procedures for rapid containment if an Office-based exploit surfaces in your environment. Include steps for network isolation, forensic evidence collection, and mass patch deployment.

Why Delayed Updates Matter

The missing Mac LTSC patches expose a fragility in the update-for-different-versions model. Security updates for Microsoft Office are normally synchronized across platforms, but exceptions like this remind IT administrators that not all software is equal. The LTSC editions prioritize stability over feature velocity, but when a critical security flaw appears, that same stability can become a liability if the patch pipeline stalls.

For Mac environments, the delay also complicates compliance with regulations that mandate timely patching. Organizations subject to PCI DSS, HIPAA, or other frameworks may need to document the risk and implement compensating controls to satisfy auditors. The absence of a firm timeline from Microsoft (“as soon as possible”) adds to the uncertainty.

What to Watch Next

The story around CVE-2025-54904 is still unfolding. Here are the key developments to track:

  • Microsoft’s advisory revisions. The MSRC page for this CVE will be updated when Mac patches ship. Subscribe to RSS or check manually.
  • NVD and CISA scoring. When the CVSS score is published, use it to reinforce patch prioritization arguments. A high-severity rating will make it easier to justify emergency change windows.
  • Proof-of-concept code and exploitation. Monitor threat intelligence feeds for reports of active attacks. Even if you have patched, awareness of in-the-wild techniques can inform your detection rules.
  • Possible out-of-band updates. In rare cases, Microsoft releases patches outside the usual Patch Tuesday cycle for critical vulnerabilities. If exploitation escalates, the Mac updates may arrive as an out-of-band release.

Conclusion

CVE-2025-54904 is not a theoretical concern—it is a real, patchable code execution bug in one of the most widely used business applications on the planet. Microsoft has delivered security updates for the majority of Office editions, but the delayed patch for Office LTSC for Mac 2021 and 2024 creates a dangerous gap. For Windows administrators, the path is clear: deploy the available updates immediately. For Mac LTSC shops, until those updates land, every compensating control must be tightened. Excel use-after-free vulnerabilities are a recurring nightmare, but swift action, layered defenses, and user education can keep attackers at bay.