CVE-2025-54902 is a high-severity vulnerability identified in Microsoft Office Online Server, specifically affecting the Excel component. The vulnerability is classified as an out-of-bounds read (CWE-125), which occurs when the software reads data outside the boundaries of allocated memory. This flaw can lead to unauthorized local code execution by an attacker. The vulnerability affects version 16.0.0.0 of Office Online Server. The CVSS 3.1 base score is 7.8, indicating a high severity level. The vector string (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C) reveals that the attack requires local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), and user interaction (UI:R). The scope remains unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). The exploitability is currently theoretical, with no known exploits in the wild. The vulnerability arises from improper bounds checking in Excel processing within Office Online Server, potentially allowing crafted files or inputs to cause memory corruption and execute arbitrary code locally. This can lead to full compromise of the affected system, data leakage, or disruption of service. The vulnerability was reserved on July 31, 2025, and published on September 9, 2025. No official patches or mitigation links are currently available, indicating that organizations must prioritize monitoring and defensive measures until a fix is released.

For European organizations, this vulnerability poses a significant risk, especially those relying on Microsoft Office Online Server for collaborative document editing and sharing. Successful exploitation could allow attackers to execute arbitrary code locally on servers hosting Office Online Server, potentially leading to data breaches, unauthorized access to sensitive information, and disruption of business operations. Given the high impact on confidentiality, integrity, and availability, organizations handling sensitive or regulated data (e.g., financial institutions, healthcare providers, government agencies) are particularly vulnerable. The requirement for local access and user interaction somewhat limits remote exploitation but does not eliminate risk, as insider threats or phishing attacks could facilitate exploitation. Additionally, the widespread use of Microsoft Office products across Europe means that many organizations could be affected, increasing the potential for targeted attacks or lateral movement within networks. The absence of known exploits in the wild provides a window for proactive defense, but the high severity score necessitates urgent attention to prevent potential exploitation.

1. Immediate implementation of strict access controls to limit local access to servers running Office Online Server, including network segmentation and least privilege principles. 2. Enhance user awareness and training to reduce the risk of social engineering or phishing attacks that could trigger user interaction required for exploitation. 3. Deploy application whitelisting and endpoint detection and response (EDR) solutions to monitor and block suspicious activities related to Office Online Server processes. 4. Regularly audit and monitor logs for unusual behavior indicative of exploitation attempts, such as unexpected process executions or memory access violations. 5. Until official patches are released, consider disabling or restricting the use of Excel functionalities within Office Online Server if feasible, or isolate the service in a hardened environment. 6. Maintain up-to-date backups and incident response plans tailored to potential compromise scenarios involving Office Online Server. 7. Engage with Microsoft support channels to obtain early access to patches or mitigation guidance as they become available.