CVE-2025-54904: 
vulnerability analysis and mitigation

CVE-2025-54904 is a use-after-free vulnerability affecting Microsoft Office Excel that was disclosed on September 09, 2025. The vulnerability impacts multiple Microsoft products including Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Microsoft Office LTSC 2021/2024 (both Windows and Mac versions), Microsoft Excel 2016, and Office Online Server (NVD).

The vulnerability is classified as a use-after-free issue in Microsoft Office Excel that could allow an unauthorized attacker to execute code locally. It has received a CVSS v3.1 base score of 7.8 (High), with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates a local attack vector, low attack complexity, no privileges required, but user interaction is required. The vulnerability has been assigned CWE-416 (Use After Free) (NVD, AttackerKB).

If successfully exploited, this vulnerability could allow an attacker to execute code with the same privileges as the victim user, potentially leading to full system compromise. The CVSS scoring indicates high impacts on confidentiality, integrity, and availability of the affected system (AttackerKB).

Microsoft has released security updates to address this vulnerability. The fixes are available through Microsoft Update or can be downloaded directly from the Microsoft Update Catalog. Organizations using affected versions of Microsoft Excel and Office products should apply the security update KB5002782 for Excel 2016 and related updates for other affected products (Microsoft Support).