CVE-2025-54898: 
vulnerability analysis and mitigation

CVE-2025-54898 is an out-of-bounds read vulnerability affecting Microsoft Office Excel. The vulnerability was discovered and disclosed on September 9, 2025, affecting various versions of Microsoft Excel including Microsoft 365 Apps, Excel 2016, Office LTSC 2021 and 2024, and Office Online Server (NVD, Microsoft Support).

The vulnerability is classified as an out-of-bounds read (CWE-125) in Microsoft Office Excel. It has received a CVSS v3.1 base score of 7.8 (HIGH) with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates that the vulnerability requires local access and user interaction, but no privileges, and can impact confidentiality, integrity, and availability with high severity (NVD).

If successfully exploited, this vulnerability allows an unauthorized attacker to execute code locally on the affected system. The high CVSS score indicates that successful exploitation could lead to significant impacts on system confidentiality, integrity, and availability (NVD).

Microsoft has released security updates to address this vulnerability. The updates are available through Microsoft Update, Microsoft Update Catalog, and Microsoft Download Center. For Excel 2016, users need to install security update KB5002782. For Office Online Server, the update package build 16.0.10417.20047 (KB5002776) is available (Microsoft Support).