CVE-2025-21390: 
vulnerability analysis and mitigation

Microsoft disclosed a Remote Code Execution vulnerability in Excel, identified as CVE-2025-21390, on February 11, 2025. The vulnerability affects multiple Microsoft products including Microsoft 365 Apps (Enterprise), Excel 2016, Office 2019, Office 2021, and Office Online Server versions up to 16.0.10416.20058, across both x64 and x86 architectures (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Microsoft has classified this as a heap-based buffer overflow vulnerability (CWE-122) (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code with the same privileges as the compromised user. Given the CVSS metrics, the vulnerability can potentially lead to high impacts on confidentiality, integrity, and availability of the affected system (NVD).

Microsoft has released security updates to address this vulnerability. The fix is included in build 16.0.10416.20058 of the security update package. Users can obtain the update through Microsoft Update, Microsoft Update Catalog, or the Microsoft Download Center (Microsoft Support).