Office Microsoft Office

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Microsoft Office.

Recent Microsoft Office Security Advisories

Advisory Title Published
CVE-2025-47173 CVE-2025-47173 Microsoft Office Remote Code Execution Vulnerability June 10, 2025
CVE-2025-47167 CVE-2025-47167 Microsoft Office Remote Code Execution Vulnerability June 10, 2025
CVE-2025-47164 CVE-2025-47164 Microsoft Office Remote Code Execution Vulnerability June 10, 2025
CVE-2025-47953 CVE-2025-47953 Microsoft Office Remote Code Execution Vulnerability June 10, 2025
CVE-2025-47162 CVE-2025-47162 Microsoft Office Remote Code Execution Vulnerability June 10, 2025
CVE-2025-30386 CVE-2025-30386 Microsoft Office Remote Code Execution Vulnerability May 13, 2025
CVE-2025-30377 CVE-2025-30377 Microsoft Office Remote Code Execution Vulnerability May 13, 2025
CVE-2025-26642 CVE-2025-26642 Microsoft Office Remote Code Execution Vulnerability April 8, 2025
CVE-2025-29792 CVE-2025-29792 Microsoft Office Elevation of Privilege Vulnerability April 8, 2025
CVE-2025-27749 CVE-2025-27749 Microsoft Office Remote Code Execution Vulnerability April 8, 2025

Known Exploited Microsoft Office Vulnerabilities

The following Microsoft Office vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Microsoft Office Outlook Privilege Escalation Vulnerability Microsoft Office Outlook contains a privilege escalation vulnerability that allows for a NTLM Relay attack against another service to authenticate as the user.
CVE-2023-23397 Exploit Probability: 93.5%
March 14, 2023
Microsoft Office Security Feature Bypass Vulnerability Microsoft Office contains a security feature bypass vulnerability which allows for a local, authenticated attack on a targeted system.
CVE-2023-21715 Exploit Probability: 0.4%
February 14, 2023
Microsoft Office Object Record Corruption Vulnerability Microsoft Office contains an object record corruption vulnerability which allows remote attackers to execute code via a crafted Excel file with a malformed record object.
CVE-2009-0557 Exploit Probability: 83.0%
June 8, 2022
Microsoft Office Buffer Overflow Vulnerability Microsoft Office contains a buffer overflow vulnerability that allows remote attackers to execute code via a Word document with a crafted tag containing an invalid length field.
CVE-2009-0563 Exploit Probability: 77.9%
June 8, 2022
Microsoft Office Buffer Overflow Vulnerability Microsoft Office contains a buffer overflow vulnerability which allows remote attackers to execute code via crafted PNG data in an Office document.
CVE-2013-1331 Exploit Probability: 85.8%
June 8, 2022
Microsoft Office Uninitialized Memory Use Vulnerability Microsoft Office allows remote attackers to execute arbitrary code via a crafted Office document.
CVE-2015-1770 Exploit Probability: 73.2%
March 28, 2022
Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Microsoft Office Access Connectivity Engine contains an unspecified vulnerability which can allow for remote code execution.
CVE-2021-38646 Exploit Probability: 66.3%
March 28, 2022
Microsoft Office Memory Corruption Vulnerability Microsoft Office contains a memory corruption vulnerability which can allow for remote code execution.
CVE-2016-7193 Exploit Probability: 78.4%
March 3, 2022
Microsoft Office Stack-based Buffer Overflow Vulnerability A stack-based buffer overflow vulnerability exists in the parsing of RTF data in Microsoft Office and earlier allows an attacker to perform remote code execution.
CVE-2010-3333 Exploit Probability: 94.0%
March 3, 2022
Microsoft Office MSCOMCTL.OCX Remote Code Execution Vulnerability The TabStrip ActiveX control in the Common Controls in MSCOMCTL.OCX in Microsoft Office allows remote attackers to execute arbitrary code via a crafted (1) document or (2) web page that triggers system-state corruption.
CVE-2012-1856 Exploit Probability: 92.4%
March 3, 2022
Microsoft Office Memory Corruption Vulnerability Microsoft Office contains a memory corruption vulnerability which allows remote attackers to execute arbitrary code via a crafted document.
CVE-2015-1642 Exploit Probability: 64.7%
March 3, 2022
Microsoft Office Malformed EPS File Vulnerability Microsoft Office allows remote attackers to execute arbitrary code via a crafted EPS image.
CVE-2015-2545 Exploit Probability: 93.3%
March 3, 2022
Microsoft Office Use-After-Free Vulnerability Microsoft Office contains a use-after-free vulnerability which can allow for remote code execution.
CVE-2017-0261 Exploit Probability: 93.0%
March 3, 2022
Microsoft Office Remote Code Execution Vulnerability A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.
CVE-2017-11826 Exploit Probability: 89.7%
March 3, 2022
Microsoft Office Remote Code Execution Vulnerability A remote code execution vulnerability exists in Microsoft Office software when it fails to properly handle objects in memory.
CVE-2017-8570 Exploit Probability: 94.2%
February 25, 2022
Microsoft Office Remote Code Execution Vulnerability A remote code execution vulnerability exists in Microsoft Office.
CVE-2017-0262 Exploit Probability: 64.7%
February 10, 2022
Microsoft Excel Security Feature Bypass A security feature bypass vulnerability in Microsoft Excel would allow a local user to perform arbitrary code execution.
CVE-2021-42292 Exploit Probability: 17.9%
November 17, 2021
Microsoft Office 2007 - 2016 Backdoor Exploitation Chain Allows a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability".
CVE-2018-0798 Exploit Probability: 94.2%
November 3, 2021
Microsoft Office memory corruption vulnerability Allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
CVE-2017-11882 Exploit Probability: 94.4%
November 3, 2021
Microsoft Office Memory Corruption vulnerability Allows remote attackers to execute arbitrary code via a crafted RTF document, aka "Microsoft Office Memory Corruption Vulnerability."
CVE-2015-1641 Exploit Probability: 93.5%
November 3, 2021

Of the known exploited vulnerabilities above, 12 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 6 known exploited Microsoft Office vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

Top 10 Riskiest Microsoft Office Vulnerabilities

Based on the current exploit probability, these Microsoft Office vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.

Rank CVE EPSS Vulnerability
1 CVE-2017-11882 94.4% Microsoft Office memory corruption vulnerability
2 CVE-2017-8570 94.2% Microsoft Office Remote Code Execution Vulnerability
3 CVE-2018-0798 94.2% Microsoft Office 2007 - 2016 Backdoor Exploitation Chain
4 CVE-2018-0802 94.1% Microsoft Office 2007 - 2016 Backdoor Exploitation Chain
5 CVE-2010-3333 94.0% Microsoft Office Stack-based Buffer Overflow Vulnerability
6 CVE-2023-23397 93.5% Microsoft Office Outlook Privilege Escalation Vulnerability
7 CVE-2015-1641 93.5% Microsoft Office Memory Corruption vulnerability
8 CVE-2015-2545 93.3% Microsoft Office Malformed EPS File Vulnerability
9 CVE-2017-0261 93.0% Microsoft Office Use-After-Free Vulnerability
10 CVE-2012-1856 92.4% Microsoft Office MSCOMCTL.OCX Remote Code Execution Vulnerability

EOL Dates

Ensure that you are using a supported version of Microsoft Office. Here are some end of life, and end of support dates for Microsoft Office.

Release EOL End of Support Status
2024 October 9, 2029 October 9, 2029
Active

Microsoft Office 2024 will become EOL in 4 years (in 2029).

2024-ltsc October 9, 2029 October 9, 2029
Active

Microsoft Office 2024-ltsc will become EOL in 4 years (in 2029).

2021 October 13, 2026 October 13, 2026
Active

Microsoft Office 2021 will become EOL next year, in October 2026.

2019 October 14, 2025 October 10, 2023
EOL This Year

Microsoft Office 2019 will become EOL this year, in October 2025.

2016 October 14, 2025 October 13, 2020
EOL This Year

Microsoft Office 2016 will become EOL this year, in October 2025.

365 - -
Active

2013 April 11, 2023 April 10, 2018
EOL

Microsoft Office 2013 became EOL in 2023 and supported ended in 2018

2011-for-mac October 10, 2017 October 10, 2017
EOL

Microsoft Office 2011-for-mac became EOL in 2017 and supported ended in 2017

2010 October 13, 2020 October 13, 2015
EOL

Microsoft Office 2010 became EOL in 2020 and supported ended in 2015

2008-for-mac April 9, 2013 April 9, 2013
EOL

Microsoft Office 2008-for-mac became EOL in 2013 and supported ended in 2013

2007 October 10, 2017 October 9, 2012
EOL

Microsoft Office 2007 became EOL in 2017 and supported ended in 2012

By the Year

In 2025 there have been 44 vulnerabilities in Microsoft Office with an average score of 7.7 out of ten. Last year, in 2024 Office had 39 security vulnerabilities published. That is, 5 more vulnerabilities have already been reported in 2025 as compared to last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.00.




Year Vulnerabilities Average Score
2025 44 7.72
2024 39 7.72
2023 60 7.46
2022 42 7.12
2021 64 7.50
2020 71 7.44
2019 58 7.37
2018 76 7.53

It may take a day or so for new Office vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Microsoft Office Security Vulnerabilities

'.../...//' in Microsoft Office Outlook allows an authorized

CVE-2025-47176 7.8 - High - June 10, 2025

'.../...//' in Microsoft Office Outlook allows an authorized attacker to execute code locally.

Access of resource using incompatible type ('type confusion') in Microsoft Office Excel

CVE-2025-30383 7.8 - High - May 13, 2025

Access of resource using incompatible type ('type confusion') in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Object Type Confusion

Use after free in Microsoft Office

CVE-2025-30386 7.8 - High - May 13, 2025

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

Dangling pointer

Heap-based buffer overflow in Windows Win32K - GRFX

CVE-2025-30388 7.8 - High - May 13, 2025

Heap-based buffer overflow in Windows Win32K - GRFX allows an unauthorized attacker to execute code locally.

Memory Corruption

Buffer over-read in Microsoft Office Excel

CVE-2025-32704 7.8 - High - May 13, 2025

Buffer over-read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Out-of-bounds Read

Heap-based buffer overflow in Microsoft Office Excel

CVE-2025-30376 7.8 - High - May 13, 2025

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Memory Corruption

Use after free in Microsoft Office

CVE-2025-30377 7.8 - High - May 13, 2025

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

Dangling pointer

Release of invalid pointer or reference in Microsoft Office Excel

CVE-2025-30379 7.8 - High - May 13, 2025

Release of invalid pointer or reference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Release of Invalid Pointer or Reference

Out-of-bounds read in Microsoft Office Excel

CVE-2025-30381 7.8 - High - May 13, 2025

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Out-of-bounds Read

Use after free in Microsoft Office Excel

CVE-2025-29977 7.8 - High - May 13, 2025

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Dangling pointer

Heap-based buffer overflow in Microsoft Office Excel

CVE-2025-29979 7.8 - High - May 13, 2025

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Memory Corruption

Access of resource using incompatible type ('type confusion') in Microsoft Office Excel

CVE-2025-30375 7.8 - High - May 13, 2025

Access of resource using incompatible type ('type confusion') in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Object Type Confusion

Use after free in Microsoft Office Access

CVE-2025-26630 7.8 - High - March 11, 2025

Use after free in Microsoft Office Access allows an unauthorized attacker to execute code locally.

Dangling pointer

Heap-based buffer overflow in Microsoft Office

CVE-2025-24057 7.8 - High - March 11, 2025

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

Heap-based Buffer Overflow

Stack-based buffer overflow in Microsoft Office Excel

CVE-2025-24075 7.8 - High - March 11, 2025

Stack-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Stack Overflow

Use after free in Microsoft Office Word

CVE-2025-24078 7 - High - March 11, 2025

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Dangling pointer

Use after free in Microsoft Office Word

CVE-2025-24079 7.8 - High - March 11, 2025

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Dangling pointer

Use after free in Microsoft Office

CVE-2025-24080 7.8 - High - March 11, 2025

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

Dangling pointer

Use after free in Microsoft Office Excel

CVE-2025-24081 7.8 - High - March 11, 2025

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Dangling pointer

Use after free in Microsoft Office Excel

CVE-2025-24082 7.8 - High - March 11, 2025

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Dangling pointer

Untrusted pointer dereference in Microsoft Office

CVE-2025-24083 7.8 - High - March 11, 2025

Untrusted pointer dereference in Microsoft Office allows an unauthorized attacker to execute code locally.

Untrusted Pointer Dereference

Microsoft Excel Remote Code Execution Vulnerability

CVE-2025-21394 7.8 - High - February 11, 2025

Microsoft Excel Remote Code Execution Vulnerability

Dangling pointer

Microsoft Office Remote Code Execution Vulnerability

CVE-2025-21397 7.8 - High - February 11, 2025

Microsoft Office Remote Code Execution Vulnerability

Dangling pointer

Microsoft Excel Remote Code Execution Vulnerability

CVE-2025-21387 7.8 - High - February 11, 2025

Microsoft Excel Remote Code Execution Vulnerability

Dangling pointer

Microsoft Excel Remote Code Execution Vulnerability

CVE-2025-21390 7.8 - High - February 11, 2025

Microsoft Excel Remote Code Execution Vulnerability

Heap-based Buffer Overflow

Microsoft Excel Information Disclosure Vulnerability

CVE-2025-21383 5.5 - Medium - February 11, 2025

Microsoft Excel Information Disclosure Vulnerability

Out-of-bounds Read

Microsoft Excel Remote Code Execution Vulnerability

CVE-2025-21381 7.8 - High - February 11, 2025

Microsoft Excel Remote Code Execution Vulnerability

Untrusted Pointer Dereference

Microsoft Office Remote Code Execution Vulnerability

CVE-2025-21392 7.8 - High - February 11, 2025

Microsoft Office Remote Code Execution Vulnerability

Dangling pointer

Microsoft Excel Remote Code Execution Vulnerability

CVE-2025-21386 7.8 - High - February 11, 2025

Microsoft Excel Remote Code Execution Vulnerability

Dangling pointer

Microsoft Office OneNote Remote Code Execution Vulnerability

CVE-2025-21402 7.8 - High - January 14, 2025

Microsoft Office OneNote Remote Code Execution Vulnerability

Improper Restriction of Names for Files and Other Resources

Microsoft Office Visio Remote Code Execution Vulnerability

CVE-2025-21345 7.8 - High - January 14, 2025

Microsoft Office Visio Remote Code Execution Vulnerability

Dangling pointer

Microsoft Office Security Feature Bypass Vulnerability

CVE-2025-21346 7.8 - High - January 14, 2025

Microsoft Office Security Feature Bypass Vulnerability

Protection Mechanism Failure

Microsoft Excel Remote Code Execution Vulnerability

CVE-2025-21354 7.8 - High - January 14, 2025

Microsoft Excel Remote Code Execution Vulnerability

Untrusted Pointer Dereference

Microsoft Office Visio Remote Code Execution Vulnerability

CVE-2025-21356 7.8 - High - January 14, 2025

Microsoft Office Visio Remote Code Execution Vulnerability

Heap-based Buffer Overflow

Microsoft Outlook Remote Code Execution Vulnerability

CVE-2025-21357 6.7 - Medium - January 14, 2025

Microsoft Outlook Remote Code Execution Vulnerability

Use of Uninitialized Resource

Microsoft Outlook Remote Code Execution Vulnerability

CVE-2025-21361 7.8 - High - January 14, 2025

Microsoft Outlook Remote Code Execution Vulnerability

Improper Restriction of Names for Files and Other Resources

Microsoft Excel Remote Code Execution Vulnerability

CVE-2025-21362 8.4 - High - January 14, 2025

Microsoft Excel Remote Code Execution Vulnerability

Dangling pointer

Microsoft Word Remote Code Execution Vulnerability

CVE-2025-21363 7.8 - High - January 14, 2025

Microsoft Word Remote Code Execution Vulnerability

Untrusted Pointer Dereference

Microsoft Excel Security Feature Bypass Vulnerability

CVE-2025-21364 7.8 - High - January 14, 2025

Microsoft Excel Security Feature Bypass Vulnerability

Marshaling, Unmarshaling

Microsoft Office Remote Code Execution Vulnerability

CVE-2025-21365 7.8 - High - January 14, 2025

Microsoft Office Remote Code Execution Vulnerability

Untrusted Path

Microsoft Access Remote Code Execution Vulnerability

CVE-2025-21366 7.8 - High - January 14, 2025

Microsoft Access Remote Code Execution Vulnerability

Dangling pointer

Microsoft Access Remote Code Execution Vulnerability

CVE-2025-21395 7.8 - High - January 14, 2025

Microsoft Access Remote Code Execution Vulnerability

Heap-based Buffer Overflow

Microsoft Access Remote Code Execution Vulnerability

CVE-2025-21186 7.8 - High - January 14, 2025

Microsoft Access Remote Code Execution Vulnerability

Heap-based Buffer Overflow

GDI+ Remote Code Execution Vulnerability

CVE-2025-21338 7.8 - High - January 14, 2025

GDI+ Remote Code Execution Vulnerability

Integer Overflow or Wraparound

Microsoft Access Remote Code Execution Vulnerability

CVE-2024-49142 7.8 - High - December 12, 2024

Microsoft Access Remote Code Execution Vulnerability

Dangling pointer

Microsoft Excel Remote Code Execution Vulnerability

CVE-2024-49069 7.8 - High - December 12, 2024

Microsoft Excel Remote Code Execution Vulnerability

Dangling pointer

Microsoft Office Remote Code Execution Vulnerability

CVE-2024-49065 5.5 - Medium - December 12, 2024

Microsoft Office Remote Code Execution Vulnerability

Out-of-bounds Read

Microsoft Office Elevation of Privilege Vulnerability

CVE-2024-49059 7 - High - December 12, 2024

Microsoft Office Elevation of Privilege Vulnerability

Race Condition

Microsoft Office Elevation of Privilege Vulnerability

CVE-2024-43600 7.8 - High - December 12, 2024

Microsoft Office Elevation of Privilege Vulnerability

Authorization

Microsoft Excel Remote Code Execution Vulnerability

CVE-2024-49030 7.8 - High - November 12, 2024

Microsoft Excel Remote Code Execution Vulnerability

Heap-based Buffer Overflow

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Microsoft Office Long Term Servicing Channel or by Microsoft? Click the Watch button to subscribe.

Microsoft
Vendor

subscribe