CVE-2025-62200: 
vulnerability analysis and mitigation

A vulnerability identified as CVE-2025-62200 was discovered in Microsoft Office Excel, involving an untrusted pointer dereference that allows an unauthorized attacker to execute code locally. The vulnerability was disclosed on November 11, 2025, affecting multiple versions of Microsoft Excel and Office products including Excel 2016, Office 2019, Microsoft 365 Apps Enterprise, and Office Online Server (NVD Database).

The vulnerability is classified as CWE-822 (Untrusted Pointer Dereference) with a CVSS v3.1 base score of 7.8 (HIGH). The attack vector is local (AV:L) with low attack complexity (AC:L), requires no privileges (PR:N), and needs user interaction (UI:R). The scope is unchanged (S:U) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD Database).

The vulnerability affects multiple Microsoft products including Microsoft 365 Apps Enterprise (x64 and x86 versions), Excel 2016 (x64 and x86 versions), Office 2019 (x86 and x64 versions), Office Long Term Servicing Channel 2021 and 2024 (x64 and x86 versions), and Office Online Server versions up to (excluding) 16.0.10417.20068 (NVD Database).

Microsoft has released security updates to address this vulnerability. The fixes are available through Microsoft Update, Microsoft Update Catalog, and Microsoft Download Center. For Office Online Server, the security update package build 16.0.10417.20068 has been released. Users are advised to apply these security updates immediately (Microsoft Support).