CVE-2025-21363 is a remote code execution vulnerability identified in Microsoft 365 Apps for Enterprise, specifically in Microsoft Word version 16.0.1. The root cause is an untrusted pointer dereference (CWE-822), where the software improperly handles pointers derived from untrusted input, leading to memory corruption. When a user opens a maliciously crafted Word document, the vulnerability can be triggered, allowing an attacker to execute arbitrary code within the context of the current user. The CVSS v3.1 base score is 7.8, indicating high severity, with an attack vector of local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). The exploitability is facilitated by the lack of required privileges and low complexity, but the need for user interaction limits automated exploitation. No public exploits or patches are currently available, increasing the urgency for organizations to implement interim mitigations. This vulnerability poses a significant risk to environments where Microsoft 365 Apps for Enterprise is widely deployed, especially in enterprise and government sectors.

The vulnerability allows attackers to execute arbitrary code remotely by convincing users to open malicious Word documents, potentially leading to full system compromise. This can result in data theft, unauthorized system control, deployment of malware or ransomware, and disruption of business operations. Because the exploit runs with the current user's privileges, the impact varies depending on user rights; administrative users face a higher risk of complete system takeover. The requirement for user interaction limits mass exploitation but does not eliminate targeted attacks, especially via phishing campaigns. Organizations relying heavily on Microsoft 365 Apps for Enterprise, particularly in sectors handling sensitive data such as finance, healthcare, and government, face increased risk. The lack of patches and known exploits in the wild means attackers may develop exploits rapidly, increasing the threat window.

Until an official patch is released, organizations should implement several specific mitigations: 1) Enforce strict email filtering and attachment scanning to block or quarantine suspicious Word documents. 2) Disable macros and ActiveX controls in Microsoft Word to reduce attack surface. 3) Configure Microsoft Defender or equivalent endpoint protection solutions to detect and block exploitation attempts related to this vulnerability. 4) Educate users on the risks of opening unsolicited or unexpected Word documents, emphasizing phishing awareness. 5) Use application control policies (e.g., AppLocker or Windows Defender Application Control) to restrict execution of unauthorized code. 6) Employ network segmentation and least privilege principles to limit the impact of potential compromise. 7) Monitor logs and network traffic for unusual activity indicative of exploitation attempts. 8) Prepare for rapid deployment of patches once Microsoft releases an update addressing this vulnerability.