CVE-2025-54899: 
vulnerability analysis and mitigation

CVE-2025-54899 is a vulnerability in Microsoft Office Excel that was disclosed on September 9, 2025. The vulnerability involves free memory not on the heap, which allows an unauthorized attacker to execute code locally. This vulnerability affects multiple Microsoft products including Microsoft Office 2019, Microsoft 365 Apps for Enterprise, Microsoft Office LTSC 2021/2024 (both Windows and Mac versions), and Microsoft Excel 2016 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates that the vulnerability requires local access and user interaction, but no privileges are required to exploit it. The vulnerability has been classified under CWE-590 (Free of Memory not on the Heap) (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute code locally with high impacts on confidentiality, integrity, and availability of the system. The CVSS scoring indicates potential for complete compromise of system confidentiality, integrity, and availability within the scope of the affected component (NVD).

Microsoft has released security updates to address this vulnerability. The updates are available through Microsoft Update, Microsoft Update Catalog, and as standalone packages through the Microsoft Download Center. For Microsoft Excel 2016, the security update KB5002782 has been released to address this vulnerability (Microsoft Support).