CVE-2025-32704: 
vulnerability analysis and mitigation

CVE-2025-32704 is a Remote Code Execution vulnerability affecting Microsoft Office Excel, which was disclosed on May 13, 2025. The vulnerability is identified as a buffer over-read issue that allows an unauthorized attacker to execute code locally on affected systems. The affected software includes Microsoft 365 Apps Enterprise (x64 and x86), Excel 2016 (x64 and x86), Office 2019 (x64 and x86), and Office Long Term Servicing Channel 2021 and 2024 versions (NVD, Wiz).

The vulnerability is classified as a buffer over-read issue (CWE-126) in Microsoft Office Excel. It has received a CVSS v3.1 base score of 8.4 (HIGH) from Microsoft with the vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, and no user interaction needed. The NVD has assigned a slightly different score of 7.8 (HIGH) with the vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability allows an unauthorized attacker to execute code locally on the affected system, potentially leading to complete system compromise with high impacts on confidentiality, integrity, and availability (Wiz).

Microsoft has released a security update to address this vulnerability as part of the May 2025 Patch Tuesday updates. Users and administrators are strongly advised to apply the security updates immediately through Windows Update or enterprise management tools (Wiz).