CVE-2025-60728: 
vulnerability analysis and mitigation

An untrusted pointer dereference vulnerability has been identified in Microsoft Office Excel (CVE-2025-60728), which was disclosed on November 11, 2025. The vulnerability affects various Microsoft Office products including Microsoft 365 Apps Enterprise (x64 and x86 versions) and Microsoft Office Long Term Servicing Channel 2024 for both Windows and macOS platforms (NVD Database).

The vulnerability is classified under CWE-822 (Untrusted Pointer Dereference) and CWE-125 (Out-of-bounds Read). It has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, indicating network vector attack capability with low attack complexity and requiring user interaction (NVD Database).

The vulnerability allows unauthorized attackers to disclose information over a network when successfully exploited. The impact is primarily focused on confidentiality with no direct effect on integrity or availability of the system (NVD Database).

Microsoft has acknowledged the vulnerability and provided information through their Security Response Center. Users are advised to apply the latest security updates through the Microsoft Update mechanism (Microsoft Advisory).