CVE-2025-30377: 
vulnerability analysis and mitigation

CVE-2025-30377 is a use-after-free vulnerability discovered in Microsoft Office that was disclosed on May 13, 2025. The vulnerability affects multiple versions of Microsoft Office products including Office 2016, Office 2019, Microsoft 365 Apps Enterprise, and Office Long Term Servicing Channel 2021 and 2024 across various platforms including Windows (x86/x64), macOS, and Android (NVD, CVE).

The vulnerability is classified as a use-after-free (CWE-416) issue that allows an unauthorized attacker to execute code locally. It has received a CVSS 3.1 base score of 8.4 (HIGH) from Microsoft with a vector string of CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while NIST assigned a slightly lower score of 7.8 (HIGH) with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows an unauthorized attacker to execute arbitrary code with local access to the system, potentially leading to complete compromise of the affected system's confidentiality, integrity, and availability (Talos Intelligence).

The vulnerability was disclosed as part of Microsoft's May 2025 Patch Tuesday release, which included a total of 78 vulnerabilities. While this vulnerability was rated as "important" rather than "critical", its high CVSS score of 8.4 indicates its potential severity (Talos Intelligence).