CVE-2021-28454: 
vulnerability analysis and mitigation

Microsoft Excel Remote Code Execution Vulnerability (CVE-2021-28454) was discovered and reported to Microsoft on January 29, 2021, with public disclosure on April 15, 2021. This vulnerability affects various versions of Microsoft Excel and Microsoft Office products, including Microsoft 365 Apps, Office 2010 SP2, Office 2013 SP1, Office 2016, Office 2019, and Office Online Server (ZDI Advisory, NVD).

The vulnerability is a Use-After-Free (UAF) flaw that exists within the parsing of XLS files. The specific issue results from the lack of validating the existence of an object prior to performing operations on the object. The vulnerability has received a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (ZDI Advisory).

When successfully exploited, this vulnerability allows remote attackers to execute arbitrary code in the context of the current process on affected installations of Microsoft Excel. This could potentially lead to full system compromise with the same privileges as the victim user (ZDI Advisory).

Microsoft has released security updates to address this vulnerability. Users are advised to apply the appropriate patches through Microsoft's security update system. The fix is available through various KB articles depending on the affected product version (NVD).