CVE-2025-21346: 
vulnerability analysis and mitigation

A security feature bypass vulnerability has been identified in Microsoft Office, tracked as CVE-2025-21346. The vulnerability was disclosed on January 14, 2025, affecting multiple versions of Microsoft Office including Office 2016, Office 2019, Office 2021, Office 2024, and Microsoft 365 Apps Enterprise editions for both x86 and x64 architectures (NVD, Microsoft Support).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) by NIST with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, and user interaction required. Microsoft's assessment differs slightly with a CVSS score of 7.1 (High) and vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H. The vulnerability is classified under CWE-693 (Protection Mechanism Failure) (NVD).

Based on the CVSS scoring, successful exploitation of this vulnerability could result in high impacts to both integrity and availability of the affected systems, with potential for complete compromise of system confidentiality according to NIST's assessment (NVD).

Microsoft has released security updates to address this vulnerability. Users can obtain the update through multiple channels: Microsoft Update, Microsoft Update Catalog, or the Microsoft Download Center. For Office 2016 specifically, standalone update packages (KB5002595) are available for both 32-bit and 64-bit versions. It's important to note that the update applies only to Microsoft Installer (.msi)-based editions and not to Click-to-Run editions such as Microsoft Office 365 Home (Microsoft Support).