CVE-2025-62201: 
vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability (CVE-2025-62201) was discovered in Microsoft Office Excel, disclosed on November 11, 2025. The vulnerability affects multiple versions of Microsoft Excel and Office products, including Excel 2016, Microsoft 365 Apps Enterprise, Office 2019, Office LTSC 2021, Office LTSC 2024, and Office Online Server (NVD).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) that could allow unauthorized attackers to execute code locally. Microsoft has assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, and user interaction required (NVD).

The vulnerability poses significant risks as it allows for remote code execution and could potentially lead to complete system compromise with high impacts on confidentiality, integrity, and availability of the affected system (NVD).

Microsoft has released security updates to address this vulnerability. The fixes are available through Microsoft Update, Microsoft Update Catalog, and Microsoft Download Center. For Office Online Server, the security update package build 16.0.10417.20068 has been released (Microsoft Support).