CVE-2025-30379: 
vulnerability analysis and mitigation

A remote code execution vulnerability has been identified in Microsoft Office Excel, tracked as CVE-2025-30379. The vulnerability stems from a release of invalid pointer or reference in Microsoft Excel that allows an unauthorized attacker to execute code locally. This vulnerability was disclosed on May 13, 2025, affecting various versions of Microsoft Excel, Office 2019, Microsoft 365 Apps Enterprise, and Office Online Server (NVD Database, CVE Mitre).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-763 (Release of Invalid Pointer or Reference). The issue affects multiple Microsoft products including Microsoft 365 Apps Enterprise (x64 and x86), Excel 2016, Office 2019, and Office Online Server versions up to (excluding) 16.0.10417.20010 (NVD Database).

The vulnerability poses a significant security risk as it allows an unauthorized attacker to execute code locally with high impacts on confidentiality, integrity, and availability of the affected system. The high CVSS score of 7.8 indicates serious potential consequences if successfully exploited (NVD Database).

Microsoft has released security update KB5002707 to address this vulnerability. The update is available through Microsoft Update, Microsoft Update Catalog, and Microsoft Download Center. For Office Online Server, this is build 16.0.10417.20010 of the security update package (Microsoft Support).