CVE-2025-21394: 
vulnerability analysis and mitigation

Microsoft Excel Remote Code Execution Vulnerability (CVE-2025-21394) was disclosed on February 11, 2025. This vulnerability affects multiple Microsoft products including Microsoft 365 Apps for Enterprise, Microsoft Office versions (2019, LTSC 2021, LTSC 2024), Microsoft Excel 2016, and Office Online Server versions up to (excluding) 16.0.10416.20058 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The attack vector is Local, requiring low attack complexity with no privileges required, though user interaction is necessary. The vulnerability impacts confidentiality, integrity, and availability, all rated as High (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code with the same privileges as the affected application, potentially compromising the confidentiality, integrity, and availability of the affected system (NVD).

Microsoft has released security updates to address this vulnerability. Users are advised to update to build 16.0.10416.20058 or later for Office Online Server. Updates are available through Microsoft Update, Microsoft Update Catalog, and Microsoft Download Center (Microsoft Support).