CVE-2025-60728 is a vulnerability classified under CWE-822 (Untrusted Pointer Dereference) found in Microsoft Excel, part of the Microsoft 365 Apps for Enterprise suite, version 16.0.1. The flaw arises when Excel improperly handles pointers from untrusted sources, leading to dereferencing invalid or malicious pointers. This can cause the application to disclose sensitive information over a network without requiring any privileges or authentication, but it does require user interaction, such as opening a crafted Excel file. The vulnerability impacts the availability of the application to a limited extent, potentially causing crashes or denial of service. The CVSS v3.1 base score is 4.3, indicating a medium severity level. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. The vulnerability's exploitation vector is network-based, meaning an attacker can remotely trigger the flaw by convincing a user to open a malicious Excel document, which then leads to information leakage. This type of vulnerability is significant because it can be used as a stepping stone for further attacks or data exfiltration within enterprise environments. The vulnerability was reserved in late September 2025 and published in November 2025, indicating recent discovery and disclosure.

For European organizations, the primary impact of CVE-2025-60728 is the potential unauthorized disclosure of sensitive information through Microsoft Excel. Given the widespread use of Microsoft 365 Apps in Europe, especially in sectors like finance, government, and critical infrastructure, this vulnerability could expose confidential data if exploited. Although the vulnerability does not allow privilege escalation or direct code execution, information disclosure can aid attackers in reconnaissance and subsequent targeted attacks. The requirement for user interaction means phishing or social engineering campaigns could be used to deliver malicious Excel files. The limited availability impact could disrupt business operations temporarily if Excel crashes or becomes unstable. Organizations handling sensitive personal data under GDPR must be particularly cautious, as data leakage could lead to regulatory penalties and reputational damage. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

1. Apply security updates and patches from Microsoft as soon as they become available for Microsoft 365 Apps for Enterprise version 16.0.1. 2. Implement strict email filtering and attachment scanning to block or quarantine suspicious Excel files, especially from unknown or untrusted sources. 3. Educate users about the risks of opening unsolicited or unexpected Excel documents and encourage verification of file origins. 4. Use Microsoft Defender for Office 365 or similar advanced threat protection tools to detect and block malicious documents. 5. Restrict macros and external content in Excel files through group policy or application control to reduce attack surface. 6. Monitor network traffic for unusual data exfiltration patterns that could indicate exploitation attempts. 7. Employ network segmentation to limit the impact of any potential compromise. 8. Maintain regular backups of critical data and ensure incident response plans are updated to address this vulnerability scenario.