CVE-2025-29791: 
vulnerability analysis and mitigation

CVE-2025-29791 is a type confusion vulnerability discovered in Microsoft Office that was disclosed on April 8, 2025. The vulnerability allows an unauthorized attacker to execute code locally through access of resource using incompatible type. This vulnerability affects various versions of Microsoft Office, including Office 2016 and its components (NVD, Microsoft Support).

The vulnerability is classified as a type confusion issue (CWE-843) with a CVSS 3.1 base score of 7.8 HIGH (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The vulnerability can be triggered when a specially crafted document is opened, leading to a type confusion condition that could result in arbitrary code execution (Talos Intelligence).

If successfully exploited, this vulnerability allows an attacker to execute arbitrary code in the context of the current user. The vulnerability has high impacts on confidentiality, integrity, and availability as indicated by its CVSS scoring (NVD).

Microsoft has released security update KB5002700 to address this vulnerability. The update is available through Microsoft Update, Microsoft Update Catalog, and Microsoft Download Center. Users should note that after installing KB5002700, they must also install KB5002623 (April 10, 2025 update) to resolve a known issue where Microsoft Word, Excel, and Outlook might stop responding (Microsoft Support).