CVE-2025-49697: 
vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability (CVE-2025-49697) was discovered in Microsoft Office, reported on July 8, 2025. This vulnerability allows an unauthorized attacker to execute code locally on affected systems. The vulnerability affects multiple versions of Microsoft Office, including Office 2016, Office 2019, Microsoft 365 Apps, and Office for Android (NVD, Microsoft Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.4 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-122 (Heap-based Buffer Overflow). The attack requires local access but needs no privileges or user interaction to execute (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code with the same privileges as the affected application. Given the CVSS metrics, the vulnerability could lead to a complete compromise of confidentiality, integrity, and availability of the targeted system (NVD).

Microsoft has released security updates to address this vulnerability. The patches are available through Microsoft Update, Microsoft Update Catalog, and Microsoft Download Center. For Office 2016, the security update KB5002742 has been released. Users are advised to apply these updates immediately (Microsoft Support).