CVE-2025-54904 is a use-after-free vulnerability classified under CWE-416 found in Microsoft Office Online Server's Excel component, specifically version 16.0.0.0. Use-after-free vulnerabilities occur when a program continues to use memory after it has been freed, leading to undefined behavior, including potential code execution. In this case, an unauthorized attacker can exploit this flaw to execute arbitrary code locally on the affected system. The vulnerability requires user interaction, such as opening a malicious Excel file via Office Online Server, but does not require any privileges or prior authentication, increasing its risk profile. The CVSS 3.1 base score is 7.8, reflecting high severity due to the combination of local attack vector, low attack complexity, no privileges required, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's nature suggests that attackers could craft malicious Excel documents that, when processed by Office Online Server, trigger the use-after-free condition and execute code. This could lead to full system compromise, data theft, or disruption of services. The vulnerability was reserved on July 31, 2025, and published on September 9, 2025, but no patches have been linked yet, indicating that mitigation options may be limited at this time. Organizations relying on Office Online Server for document collaboration and processing are at risk, especially in environments where users frequently interact with Excel files through the server.

For European organizations, this vulnerability poses significant risks due to the widespread use of Microsoft Office Online Server in enterprise environments for document collaboration and processing. Successful exploitation could allow attackers to execute arbitrary code locally, potentially leading to data breaches, unauthorized access to sensitive information, and disruption of business operations. Confidentiality, integrity, and availability of critical systems could be compromised. Given the local attack vector and requirement for user interaction, phishing or social engineering campaigns could be used to deliver malicious Excel files, increasing the likelihood of exploitation. The impact is particularly severe for sectors handling sensitive data such as finance, healthcare, government, and critical infrastructure. Additionally, organizations with compliance obligations under GDPR must consider the legal and reputational consequences of data breaches resulting from this vulnerability.

1. Monitor Microsoft security advisories closely and apply patches or updates for Office Online Server as soon as they become available. 2. Implement strict access controls to limit who can upload or open Excel files via Office Online Server, reducing exposure to malicious files. 3. Employ advanced email and web filtering solutions to detect and block malicious Excel documents before they reach users. 4. Educate users about the risks of opening unsolicited or suspicious Excel files, especially those received via email or external sources. 5. Use application whitelisting and endpoint protection solutions to detect and prevent exploitation attempts on client systems. 6. Consider isolating Office Online Server in segmented network zones with limited access to sensitive data and critical infrastructure. 7. Enable detailed logging and monitoring on Office Online Server to detect anomalous activities that may indicate exploitation attempts. 8. Regularly back up critical data and verify recovery procedures to mitigate potential data loss from exploitation.