CVE-2025-47994: 
vulnerability analysis and mitigation

A deserialization of untrusted data vulnerability in Microsoft Office was discovered and disclosed on July 8, 2025. The vulnerability, tracked as CVE-2025-47994, affects multiple Microsoft Office products including Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps Enterprise editions for both x86 and x64 architectures (NVD).

The vulnerability is classified as a deserialization of untrusted data issue (CWE-502). It received a CVSS v3.1 base score of 8.6 (HIGH) from NIST with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, while Microsoft assessed it with a slightly lower score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows an unauthorized attacker to elevate privileges locally on affected systems. The high CVSS scores indicate severe potential impacts on confidentiality, integrity, and availability of the affected systems (NVD).

Microsoft has released security updates to address this vulnerability. The fix is available through Microsoft Update, Microsoft Update Catalog, and as a standalone package through the Microsoft Download Center. For Office 2016, the security update KB5002742 has been released to address this vulnerability along with several others (Microsoft Support).