Microsoft 365 Apps RCE Vulnerability Exploited via Malicious Excel Files

Microsoft has disclosed a critical remote code execution (RCE) vulnerability, tracked as CVE-2025-60727, that affects its widely used Office suite. The flaw can be exploited when a user opens a specially crafted malicious Excel file, leading to an out-of-bounds read (CWE-125) that allows attackers to execute arbitrary code with the privileges of the logged-in user. This vulnerability poses a significant risk, particularly within phishing campaigns where attackers can trick unsuspecting users into opening weaponized documents.

The vulnerability resides in the way Microsoft Excel processes malformed file structures. When a malicious Excel document is opened, the application may read memory outside of its allocated buffer. Attackers can carefully design these files to manipulate this improper memory access, influencing the application's behavior and ultimately enabling the execution of arbitrary code on the target system. The potential attack surface is vast, as the vulnerability impacts numerous Microsoft products, including Microsoft 365 Apps, Excel 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Office Online Server.

Exploitation of CVE-2025-60727 requires direct user interaction, meaning a victim must open the malicious Excel file. Crucially, the attack does not necessitate authentication or elevated privileges, making it an ideal tool for phishing operations. Threat actors can craft emails that appear to be legitimate business communications, such as invoices or reports, and attach a malicious Excel file. Once opened, the file can silently trigger the vulnerability and execute malicious code in the background.

The root cause of the flaw is insufficient validation of length and offset values during the parsing of Excel files. When Excel encounters a malformed file, it attempts to read data beyond the boundaries of allocated memory. By carefully controlling the structure of the malicious file, attackers can leverage this out-of-bounds read to overwrite critical memory regions, redirect execution flow, and inject their own malicious instructions within the context of the Excel process.

A successful exploitation grants the attacker the same level of access as the current user. This can lead to a cascade of malicious activities, including data theft, installation of further malware, establishment of persistence mechanisms, and potentially a full system compromise. In enterprise environments, a successful exploit can serve as an initial foothold for lateral movement across the network.

Detection of exploitation attempts often involves monitoring for unusual behaviors originating from Excel processes. Security teams might observe Excel spawning unexpected child processes, such as command shells or scripting engines, or initiating suspicious outbound network connections shortly after a document is opened. In some instances, systems might generate crash reports or access violations related to Excel when processing malformed files.

Microsoft has released security updates to address CVE-2025-60727. Organizations are strongly advised to apply these patches immediately. Keeping Microsoft 365 Apps updated via the Click-to-Run channel and deploying the latest security updates for standalone Office versions are critical. Additional mitigation strategies include enforcing Protected View for files from untrusted sources, blocking macros and external content, and implementing security controls like Attack Surface Reduction rules.

While there are currently no public reports of active exploitation in the wild, the attack vector aligns closely with well-established phishing and document-based attack methodologies. The vulnerability was first published in the National Vulnerability Database on November 11, 2025, and updated on June 17, 2026. Given its critical nature and widespread impact, organizations should treat this vulnerability with high priority and ensure their systems are patched and protected.