CVE-2025-54901 is a buffer over-read vulnerability classified under CWE-126 found in Microsoft Excel within Microsoft 365 Apps for Enterprise version 16.0.1. A buffer over-read occurs when a program reads data beyond the bounds of allocated memory, potentially exposing sensitive information stored in adjacent memory locations. In this case, the vulnerability allows an unauthorized attacker to disclose information locally by triggering the over-read condition. The attack vector requires local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), and user interaction (UI:R). The scope is unchanged (S:U), meaning the vulnerability affects only the vulnerable component without impacting other system components. The confidentiality impact is high (C:H), while integrity and availability impacts are none (I:N, A:N). The CVSS v3.1 base score is 5.5, reflecting a medium severity rating. No patches or exploits are currently available, but the vulnerability poses a risk of sensitive data leakage on compromised or shared systems. Mitigation currently relies on limiting local access and user awareness until a patch is released.

This vulnerability primarily threatens the confidentiality of information on systems running the affected Microsoft Excel version. An attacker with local access and the ability to trick a user into interacting with a malicious file or action could exploit the buffer over-read to read sensitive memory contents, potentially exposing confidential data. While it does not allow remote exploitation or privilege escalation, environments with multiple users or shared workstations are at higher risk. The impact is limited to local information disclosure without affecting system integrity or availability. Organizations handling sensitive data in Excel documents, especially in regulated industries, could face data leakage risks. The absence of known exploits reduces immediate threat but does not eliminate future risk once exploit code becomes available.

Until a security patch is released by Microsoft, organizations should implement strict local access controls to prevent unauthorized users from accessing vulnerable systems. Employ endpoint protection solutions that monitor and restrict execution of untrusted files or macros in Excel. Educate users to avoid opening suspicious or unsolicited Excel files and to report unexpected prompts requiring interaction. Use application whitelisting to limit execution of unverified code. Regularly audit and monitor local user activities for signs of exploitation attempts. Once Microsoft releases a patch, prioritize immediate deployment across all affected systems. Consider isolating critical systems or using virtual desktop infrastructure (VDI) to reduce local attack surface. Maintain up-to-date backups and incident response plans to quickly address any potential data exposure incidents.