CVE-2025-60724 is a heap-based buffer overflow vulnerability classified under CWE-122, affecting the Microsoft Graphics Component within Microsoft Office LTSC for Mac 2021, specifically version 16.0.1. The vulnerability allows an attacker to remotely execute arbitrary code by sending specially crafted data over the network to a vulnerable system. Because the flaw exists in the graphics processing component, it can be triggered when the application processes maliciously crafted graphical content, potentially embedded in documents or transmitted over network protocols that Office may handle. The vulnerability requires no authentication and no user interaction, making it highly exploitable in remote attack scenarios. The CVSS v3.1 base score of 9.8 reflects the critical nature of the vulnerability, with metrics indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits have been observed yet, the vulnerability's characteristics suggest it could be weaponized rapidly after disclosure. The lack of available patches at the time of publication necessitates immediate risk mitigation strategies. This vulnerability poses a significant threat to organizations relying on Microsoft Office LTSC for Mac 2021, particularly in environments where network exposure is possible and where Mac devices are integral to business operations.

The impact of CVE-2025-60724 on European organizations could be substantial. Successful exploitation allows attackers to execute arbitrary code remotely, potentially leading to full system compromise, data theft, or disruption of services. Confidentiality is at high risk as attackers can access sensitive documents and information processed by Office applications. Integrity is compromised because attackers can alter or inject malicious content into documents or system files. Availability is also threatened due to possible system crashes or denial-of-service conditions triggered by exploitation. European organizations with Mac-based workflows, including government agencies, financial institutions, and enterprises in technology and creative sectors, face heightened risk. The vulnerability's remote and unauthenticated nature increases the attack surface, especially in organizations with remote work policies or exposed network services. Additionally, the lack of current patches means organizations must rely on compensating controls, increasing operational complexity and risk exposure. The potential for rapid exploitation after patch release underscores the need for proactive defense measures to protect European digital infrastructure.

Given the absence of an official patch at the time of disclosure, European organizations should implement immediate compensating controls. These include restricting network access to systems running Microsoft Office LTSC for Mac 2021, especially limiting inbound traffic to trusted sources and employing network segmentation to isolate vulnerable devices. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying anomalous behavior related to memory corruption and code execution attempts. Enforce strict application whitelisting and monitor logs for unusual Office application activity. Educate users about the risks of opening untrusted documents, even though user interaction is not required for exploitation, as some attack vectors may still involve document delivery. Once Microsoft releases a patch, prioritize rapid deployment across all affected Mac endpoints. Additionally, maintain up-to-date backups and incident response plans to quickly recover from potential compromises. Collaborate with IT and security teams to conduct vulnerability scans and penetration tests to assess exposure and validate mitigation effectiveness.