CVE-2025-49705: 
vulnerability analysis and mitigation

CVE-2025-49705 is a heap-based buffer overflow vulnerability discovered in Microsoft Office PowerPoint. The vulnerability was disclosed on July 8, 2025, affecting various versions of Microsoft PowerPoint and Microsoft Office products including PowerPoint 2016, Microsoft 365 Apps, and Office LTSC 2021 (NVD, CVE).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) that could allow an unauthorized attacker to execute code locally. Microsoft has assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, and user interaction required (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the current user. The high CVSS score indicates potential severe impacts on confidentiality, integrity, and availability of the affected system (NVD).

Microsoft has released security updates to address this vulnerability. Users can obtain the update through Microsoft Update, Microsoft Update Catalog, or Microsoft Download Center. For PowerPoint 2016, the security update KB5002746 is available and replaces the previously released security update 5002689 (Microsoft Support).