CVE-2025-54900: 
vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability has been identified in Microsoft Office Excel (CVE-2025-54900). The vulnerability was discovered and disclosed on September 9, 2025, affecting various versions of Microsoft Excel including Excel 2016, Microsoft 365 Apps, and Office Online Server (NVD).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) that could allow unauthorized attackers to execute code locally. Microsoft has assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, and user interaction required (NVD).

The vulnerability affects multiple Microsoft products including Microsoft 365 Apps (Enterprise editions for both x64 and x86), Excel 2016 (x64 and x86 versions), Office Long Term Servicing Channel 2021 and 2024 editions, and Office Online Server versions up to (excluding) 16.0.10417.20047 (NVD).

Microsoft has released security updates to address this vulnerability. The fix is available through Microsoft Update, Microsoft Update Catalog, and Microsoft Download Center. For Office Online Server, the security update package build 16.0.10417.20047 has been released to address this vulnerability (Microsoft Support).