CVE-2025-27745: 
vulnerability analysis and mitigation

CVE-2025-27745 is a remote code execution vulnerability in Microsoft Office discovered and disclosed on April 8, 2025. The vulnerability affects Microsoft Office applications and allows an unauthorized attacker to execute code locally through a use-after-free condition. The vulnerability has been assigned a CVSS 3.1 base score of 7.8 HIGH (NVD, Talos Blog).

The vulnerability is classified as a use-after-free (CWE-416) condition in Microsoft Office. When exploited, it allows an attacker to trigger a use-after-free scenario that can lead to arbitrary code execution. The vulnerability requires user interaction, and the Preview Pane is identified as a potential attack vector. The CVSS 3.1 vector string is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, no privileges required, and user interaction required (NVD, ZDI).

If successfully exploited, the vulnerability allows an attacker to execute arbitrary code in the context of the current user. The high CVSS score of 7.8 reflects the significant potential impact on confidentiality, integrity, and availability of the affected system (NVD).

Microsoft has released security updates to address this vulnerability as part of the April 2025 Patch Tuesday updates. The fix is included in KB5002700 for affected versions of Microsoft Office. Users should note that Mac versions of Microsoft Office LTSC 2021 and 2024 patches are not yet available (Microsoft Support).