CVE-2025-32704
📋 TL;DR
A buffer over-read vulnerability in Microsoft Office Excel allows attackers to read beyond allocated memory boundaries, potentially leading to information disclosure or remote code execution. This affects users who open malicious Excel files with vulnerable versions of Microsoft Office. The vulnerability requires user interaction to open a specially crafted file.
💻 Affected Systems
- Microsoft Office Excel
- Microsoft 365 Apps
- Microsoft Office LTSC
📦 What is this software?
365 Apps by Microsoft
365 Apps by Microsoft
Excel by Microsoft
Excel by Microsoft
Office by Microsoft
Office by Microsoft
Office Long Term Servicing Channel by Microsoft
View all CVEs affecting Office Long Term Servicing Channel →
Office Long Term Servicing Channel by Microsoft
View all CVEs affecting Office Long Term Servicing Channel →
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with SYSTEM privileges leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Information disclosure through memory leaks, potentially exposing sensitive data or credentials stored in memory.
If Mitigated
Limited impact with proper application sandboxing and memory protection mechanisms in place.
🎯 Exploit Status
Requires user interaction to open malicious Excel file. Exploit development requires understanding of Excel file format and memory layout.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific version numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32704
Restart Required: Yes
Instructions:
1. Open any Office application. 2. Go to File > Account > Update Options > Update Now. 3. Restart Office applications when prompted. 4. For enterprise deployments, deploy through Microsoft Endpoint Configuration Manager or WSUS.
🔧 Temporary Workarounds
Block Excel file types via Group Policy
windowsPrevent opening of Excel files from untrusted sources
gpedit.msc > User Configuration > Administrative Templates > Windows Components > Attachment Manager > 'Do not preserve zone information' = Disabled
Enable Protected View
windowsForce Excel files from internet to open in Protected View
File > Options > Trust Center > Trust Center Settings > Protected View > Enable all Protected View options
🧯 If You Can't Patch
- Implement application whitelisting to block unauthorized Excel execution
- Deploy email filtering to block Excel attachments from external sources
🔍 How to Verify
Check if Vulnerable:
Check Excel version via File > Account > About Excel and compare with patched versions in Microsoft advisoryCheck Version:
powershell Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" | Where-Object {$_.DisplayName -like "*Office*"} | Select-Object DisplayName, DisplayVersionVerify Fix Applied:
Verify Office updates installed via Control Panel > Programs > Programs and Features > View installed updates📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 (process creation) for Excel with suspicious parent processes
- Office crash reports in Windows Event Log
Network Indicators:
- Unusual outbound connections from Excel process
- DNS requests to suspicious domains after Excel launch
SIEM Query:
source="windows" event_id=4688 process_name="EXCEL.EXE" | stats count by parent_process_name