CVE-2025-49705: 
vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability has been identified in Microsoft Office PowerPoint (CVE-2025-49705). The vulnerability was discovered and disclosed on July 8, 2025, affecting PowerPoint 2016 installations. This security flaw allows an unauthorized attacker to execute code locally on affected systems (NVD, Microsoft Security).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) with a CVSS v3.1 base score of 7.8 (HIGH). The attack vector is local (AV:L), with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R). The scope is unchanged (S:U), with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD).

If successfully exploited, this vulnerability allows an unauthorized attacker to execute arbitrary code locally on the affected system, potentially leading to complete system compromise with the same privileges as the logged-in user (NVD).

Microsoft has released a security update (KB5002746) to address this vulnerability. The update is available through Microsoft Update, Microsoft Update Catalog, and as a standalone package through the Microsoft Download Center. Users are advised to apply the security update immediately. The update applies to Microsoft Installer (.msi)-based editions of Office 2016 but not to Click-to-Run editions such as Microsoft Office 365 Home (Microsoft Support).