CVE-2025-21354: 
vulnerability analysis and mitigation

Microsoft Excel Remote Code Execution Vulnerability (CVE-2025-21354) is a critical vulnerability discovered in January 2025. The vulnerability affects various Microsoft products including Microsoft 365 Apps, Office 2019, Office 2021, Office 2024, and Office Online Server. This vulnerability has been assigned a CVSS score of 7.8 (High) (NVD).

The vulnerability is classified as a Remote Code Execution (RCE) vulnerability caused by untrusted pointer dereference. The attack vector involves the Preview Pane functionality in Microsoft Excel. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (CrowdStrike).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on the target system with the privileges of the current user. The vulnerability affects confidentiality, integrity, and availability of the system, all rated as High according to the CVSS metrics (NVD).

Microsoft has released security updates to address this vulnerability as part of the January 2025 Patch Tuesday updates. The fix is available through Microsoft Update, Microsoft Update Catalog, and Microsoft Download Center. For Office Online Server, the security update package build 16.0.10416.20047 has been released (Microsoft Support).