CVE-2025-54904 is a high-severity use-after-free vulnerability (CWE-416) affecting Microsoft Office Online Server, specifically in the Microsoft Office Excel component. This vulnerability arises when the software improperly manages memory, allowing an attacker to exploit a freed memory region. The flaw enables an unauthorized attacker to execute arbitrary code locally on the affected system. The vulnerability is present in version 16.0.0.0 of Office Online Server. The CVSS 3.1 base score is 7.8, indicating a high impact with the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, meaning the attack requires local access, low attack complexity, no privileges, and user interaction, but results in high confidentiality, integrity, and availability impacts. The vulnerability does not require prior authentication but does require the victim to interact with a maliciously crafted Excel file or content served via Office Online Server. Although no known exploits are currently in the wild, the potential for local code execution makes this a significant risk, especially in environments where Office Online Server is deployed to provide Excel services. The lack of available patches at the time of publication increases the urgency for mitigation and monitoring. This vulnerability could be leveraged to gain control over the server hosting Office Online Server, potentially leading to data breaches, lateral movement within networks, or disruption of services.

For European organizations, the impact of CVE-2025-54904 could be substantial. Office Online Server is often used in enterprise environments to provide web-based access to Office documents, including Excel spreadsheets. Exploitation could allow attackers to execute arbitrary code on servers that process sensitive financial, operational, or personal data. This could lead to unauthorized data access, data manipulation, or service disruption. Given the high confidentiality, integrity, and availability impacts, organizations could face regulatory consequences under GDPR if personal data is compromised. Additionally, the local attack vector means that attackers may need some level of access or social engineering to trick users into opening malicious content, but once exploited, the attacker could escalate privileges or move laterally within corporate networks. This is particularly critical for sectors such as finance, healthcare, government, and critical infrastructure in Europe, where Office Online Server is integrated into daily workflows and document management systems.

To mitigate this vulnerability, European organizations should prioritize the following actions: 1) Monitor Microsoft security advisories closely for the release of official patches or updates addressing CVE-2025-54904 and apply them immediately upon availability. 2) Restrict local access to Office Online Server hosts to trusted administrators only, minimizing the risk of local exploitation. 3) Implement strict network segmentation and access controls to limit exposure of Office Online Server to untrusted networks or users. 4) Educate users about the risks of interacting with untrusted Excel files or links, especially those accessed via Office Online Server. 5) Employ application whitelisting and endpoint protection solutions capable of detecting anomalous behavior indicative of exploitation attempts. 6) Use logging and monitoring to detect unusual activity on Office Online Server hosts, such as unexpected process creation or memory access patterns. 7) Consider disabling or limiting Excel functionality in Office Online Server if not required, reducing the attack surface. 8) Conduct regular security assessments and penetration testing focused on Office Online Server deployments to identify potential weaknesses.