Microsoft has disclosed a critical remote code execution flaw in Word, tracked as CVE-2025-62558, that could allow attackers to take over a PC simply by having a victim open a malicious document. Yet the CVSS severity rating labels the attack vector as "Local," leaving many users and administrators scratching their heads. Here’s what’s really going on—and why you need to patch immediately.

The Two Faces of CVE-2025-62558: Remote Threat, Local Trigger

The confusion stems from two different ways of describing the same vulnerability. Microsoft’s security advisory bluntly states "Remote Code Execution" because an attacker anywhere on the internet can craft a weaponized .docx file, email it to you, and gain control of your machine if you open it. However, the CVSS score assigns an Attack Vector of Local (AV:L) because the actual exploitation happens inside the Word process on your computer—not over a network connection.

This is not a contradiction; it’s a reflection of how modern document-based attacks work. According to Microsoft’s clarification, the term "Remote" in the title refers to the location of the attacker, while the CVSS vector captures where the vulnerable code executes. The attack itself is carried out locally when Word parses the malicious file. Understanding this nuance is critical for accurately gauging risk and prioritizing defenses.

Who’s Affected and How Bad Is It Really?

All supported versions of Microsoft Word, across both Windows and macOS, are potentially impacted. The advisory doesn’t list specific build numbers, but the vulnerability likely affects the core document parsing engine, making it widespread. Home users, enterprise workers, and anyone using Word for email attachments or cloud documents are at risk.

The impact is severe: successful exploitation lets an attacker run arbitrary code with the same privileges as the logged-in user. If you have admin rights, the attacker owns the entire system. Even without admin rights, they can steal data, install malware, or move laterally within a network. Microsoft has rated this vulnerability as "Important" and assigned a CVSS base score of 7.8—high severity, with high impact on confidentiality, integrity, and availability.

The Local attack vector doesn’t make it less dangerous. In fact, it’s typical for Office vulnerabilities: the attacker just needs you to open a file. No macros, no clicking “enable content”—the mere act of parsing the document can trigger the exploit. This is what makes it remote code execution in practice, even if the mechanism is local.

From Email to Exploit: How These Attacks Unfold

Exploiting CVE-2025-62558 most likely follows a well-worn playbook for Office document-based attacks:

  1. Crafting: An attacker creates a specially crafted Word document that corrupts memory or abuses a parsing flaw—common root causes include use-after-free bugs, out-of-bounds writes, or type confusion.
  2. Delivery: The file is distributed via phishing emails, cloud storage links, or compromised websites. Social engineering tricks users into opening it.
  3. Triggering: When Word opens the file, the vulnerable parser is invoked. The exploit executes code without any further action from the user.
  4. Post-exploitation: The attacker may then download more malware, steal credentials, persist on the system, or move laterally.

This pattern has been seen in countless real-world attacks, from state-sponsored espionage to ransomware gangs. Because the exploit lives in the parsing logic, disabling macros or ActiveX won’t stop it. Only a patch—or robust application sandboxing—can block the initial code execution.

Your Action Plan: Patching and Beyond

The single most important step is to apply Microsoft’s security updates immediately. These patches fix the underlying parsing flaws and are the only definitive way to eliminate the vulnerability.

For Home Users

  • Run Windows Update: Check for updates and install all available patches for Office. If you use Microsoft 365, updates are delivered automatically via Click-to-Run, but manually triggering an update ensures you’re protected now.
  • Enable Protected View: Word’s built-in Protected View opens documents from the internet in a sandboxed, read-only mode. Make sure it’s turned on (it’s the default, but verify in File > Options > Trust Center).
  • Think before you click: Pause before opening attachments or links, even from known contacts. If you weren’t expecting a document, verify via another channel.

For IT Administrators

  • Patch management: Identify all Office installations in your environment (Click-to-Run, MSI, LTSC, etc.) and deploy the relevant KBs through your patch management system. Prioritize devices whose users handle external documents.
  • Secure server-side previews: If you run email gateways, DLP appliances, or document conversion services that parse Word files, patch those immediately. On such servers, the attack vector effectively becomes Network (AV:N) because an unauthenticated attacker can trigger the vulnerability by sending a malicious attachment; no user interaction is needed for the server to open it.
  • Harden mail flow: Configure your email gateway to detonate attachments in a sandbox, block suspicious file types, and strip macros or active content.
  • Deploy application control: Use AppLocker or Windows Defender Application Control to prevent Word from spawning unexpected child processes like PowerShell or cmd.exe. This won’t stop the initial exploit but can contain post-exploitation lateral movement.
  • Enable Attack Surface Reduction rules: In Microsoft Defender for Endpoint, turn on rules that block Office apps from creating child processes, launching executable content, or injecting code.
  • Monitor and hunt: Set up alerts for anomalous Word behavior—unusual network connections, process creation, or registry modifications. Hunt for indicators of compromise using the MITRE ATT&CK framework.

For Developers and Security Researchers

  • The CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Note the User Interaction: Required (UI:R). While the exploit requires a user to open a file, the complexity is low (AC:L), meaning attacks are relatively easy to weaponize.
  • Stay tuned for technical write-ups. If Microsoft or a third party publishes a proof of concept, the risk of exploitation in the wild will spike. Incorporate that intel into your threat models.

What’s Next: Living with Document-Based Threats

CVE-2025-62558 is unlikely to be the last Word parsing vulnerability. The complexity of Office file formats—spanning legacy binary structures, OLE objects, and modern XML-based archives—guarantees a steady stream of similar bugs. Microsoft’s move to sandbox Word in Windows 10 and 11 through Protected View and Application Guard has raised the bar, but determined attackers constantly search for escape hatches.

Longer term, organizations should consider architectural changes: moving email to zero-trust, treating attachments as inherently dangerous, and isolating high-risk tasks like document previewing into disposable virtual machines. For now, treat this advisory as urgent. Patch first, then layer your defenses—because when the next malicious document lands in an inbox, you’ll want every protection in place.