CVE-2025-54906: 
vulnerability analysis and mitigation

A remote code execution vulnerability identified as CVE-2025-54906 was discovered in Microsoft Office and SharePoint Server products. The vulnerability was disclosed on September 9, 2025, affecting multiple versions of Microsoft Office (2016, 2019), Microsoft 365 Apps, and SharePoint Server (2016, 2019). The vulnerability is related to free memory not on the heap in Microsoft Office, which could allow an unauthorized attacker to execute code locally (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Microsoft has classified this as a Use After Free (CWE-416) vulnerability. The attack requires local access and user interaction, but no privileges are needed for exploitation (NVD).

If successfully exploited, this vulnerability allows an unauthorized attacker to execute code locally with high impacts on confidentiality, integrity, and availability of the affected system. The vulnerability affects multiple Microsoft products including various versions of Office, SharePoint Server, and Microsoft 365 Apps across different architectures (x86, x64) and platforms (NVD).

Microsoft has released security updates to address this vulnerability. Users can obtain the update through multiple channels: Microsoft Update, Microsoft Update Catalog, or Microsoft Download Center. For Office 2016, users need to install security update KB5002576, and for SharePoint Server 2016, security update KB5002778 is required. It's important to note that these updates only apply to Microsoft Installer (.msi)-based editions and not to Click-to-Run editions such as Microsoft Office 365 Home (Microsoft Support).