CVE-2025-54907: 
vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability (CVE-2025-54907) was discovered in Microsoft Office Visio that allows an unauthorized attacker to execute code locally. The vulnerability was disclosed on September 9, 2025, affecting multiple versions of Microsoft Office including Microsoft 365 Apps Enterprise, Office 2019, Office LTSC 2021, and Office LTSC 2024 (NVD, Microsoft).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) with a CVSS v3.1 base score of 7.8 (HIGH). The attack vector is local (AV:L) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R). The scope is unchanged (S:U) with high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD).

If successfully exploited, this vulnerability allows an attacker to execute arbitrary code in the context of the current user. Given the high impact ratings for confidentiality, integrity, and availability, successful exploitation could lead to complete compromise of the affected system within the scope of the user's privileges (Rapid7).

Microsoft has released security updates to address this vulnerability. Affected users should apply the September 2025 security updates for Microsoft Office products. The updates are available for Microsoft 365 Apps Enterprise (x64 and x86), Office 2019, Office LTSC 2021, and Office LTSC 2024 (Microsoft).