A high-severity vulnerability has been discovered in multiple Microsoft Office products that could allow an attacker to take full control of a user's computer. If a user opens a specially crafted malicious document, an attacker can execute arbitrary code, leading to potential data theft, malware installation, and further network compromise. Organizations are urged to apply the vendor-provided security patches immediately to mitigate this significant risk.

This is a Use-After-Free (UAF) vulnerability within Microsoft Office's document processing components. An attacker can exploit this flaw by creating a specially crafted Office file (e.g., a Word document or Excel spreadsheet) and convincing a victim to open it. When the victim opens the malicious file, the Office application improperly handles memory by attempting to access a memory location after it has been deallocated (freed), which can cause the application to crash or behave unexpectedly. A skilled attacker can control the contents of this reallocated memory space to inject and execute their own malicious code with the same permissions as the logged-in user.

High severity with a CVSS score of 8.4. The successful exploitation of this vulnerability poses a significant threat to the organization. An attacker could achieve local code execution on a victim's workstation, leading to a complete compromise of that system. Potential consequences include the theft of sensitive corporate data, deployment of ransomware, installation of persistent backdoors for long-term access, and the ability for the attacker to move laterally across the internal network. This could result in major financial loss, reputational damage, and severe disruption to business operations.

Immediate Action: The primary and most effective remediation is to apply the security updates released by Microsoft across all affected endpoints immediately. Prioritize patching systems that handle external documents and those used by high-profile employees. Following patching, monitor systems for any signs of post-patch exploitation attempts and review application and system logs for anomalous activity related to Microsoft Office processes.

Proactive Monitoring: Implement enhanced monitoring through Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) solutions. Create alerts for suspicious child processes spawning from Office applications (e.g., winword.exe or excel.exe launching powershell.exe, cmd.exe, or wscript.exe). Monitor for unusual outbound network traffic from workstations originating from Office products and review application crash logs for patterns that may indicate failed exploitation attempts.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• User Awareness: Advise all users to exercise extreme caution and not open unsolicited Office documents from unknown or untrusted sources.
• Email Security Gateway: Configure email filters to block or quarantine attachments with potentially malicious characteristics.
• Attack Surface Reduction (ASR): Enable Microsoft Defender ASR rules to block Office applications from creating child processes or injecting code into other processes.
• Protected View: Ensure Microsoft Office Protected View is enabled, as it opens documents from untrusted locations in a restricted sandbox, which can prevent exploitation.

Public Exploit Available: False

This vulnerability represents a critical risk to the organization. The ability for an attacker to achieve code execution through a common file format like a Microsoft Office document makes it a highly attractive target for phishing and other social engineering campaigns. Although this CVE is not currently listed on the CISA KEV list, its high CVSS score and potential for widespread impact warrant an immediate and prioritized response. We strongly recommend that all available security updates from Microsoft are applied to all corporate endpoints without delay to prevent potential compromise.