CVE-2025-21345: 
vulnerability analysis and mitigation

Microsoft Office Visio Remote Code Execution Vulnerability was disclosed on January 14, 2025. This vulnerability affects multiple Microsoft Office products including Microsoft 365 Apps Enterprise, Microsoft Office 2019, Microsoft Office LTSC 2021, and Microsoft Office LTSC 2024, in both x64 and x86 versions (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The attack vector is Local (AV:L), with Low attack complexity (AC:L), requiring No privileges (PR:N), and User interaction (UI:R). The impact metrics show High severity for Confidentiality, Integrity, and Availability. Microsoft has classified this as a Use After Free (CWE-416) vulnerability (NVD).

If successfully exploited, this vulnerability could allow an attacker to achieve high levels of impact across three security properties: confidentiality, integrity, and availability. The scope is unchanged, meaning the vulnerable component and the impacted component are the same (AttackerKB).

Microsoft has released security updates to address this vulnerability. Users are advised to apply the latest security updates through the official Microsoft Update channel. Affected users can find the security updates at https://aka.ms/OfficeSecurityReleases (NVD).