CVE-2025-47170
published 2025-06-10CVE-2025-47170: Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
PriorityP180high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.56%
42.1th percentile
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_365_apps_for_enterprise | >= 16.0.1 < https://aka.ms/OfficeSecurityReleases | https://aka.ms/OfficeSecurityReleases |
| microsoft | microsoft_office_ltsc_2024 | >= 16.0.0 < https://aka.ms/OfficeSecurityReleases | https://aka.ms/OfficeSecurityReleases |
| microsoft | microsoft_office_ltsc_for_mac_2024 | >= 16.0.0 < 16.98.25060824 | 16.98.25060824 |
| microsoft | office_long_term_servicing_channel | — | — |
| msrc | microsoft_365_apps_for_enterprise_for_32-bit_systems | — | — |
| msrc | microsoft_365_apps_for_enterprise_for_64-bit_systems | — | — |
| msrc | microsoft_office_ltsc_2024_for_32-bit_editions | — | — |
| msrc | microsoft_office_ltsc_2024_for_64-bit_editions | — | — |
| msrc | microsoft_office_ltsc_for_mac_2024 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Attack vector is local and requires user interaction — attacker must deliver a malicious Office (Word) file and convince the victim to open it; the Preview Pane is NOT an attack vector, so detections should focus on file-open events. ↗
- →Preview Pane is confirmed not an attack vector; hunting should focus on WinWord.exe process launches that result in child/spawned processes or anomalous memory-free/reuse patterns indicative of use-after-free exploitation. ↗
- ·Security updates for Microsoft 365 (Click-to-Run) were not immediately available at time of publication; patch status should be verified before assuming remediation is complete. ↗
- ·Despite the 'Remote Code Execution' title, exploitation is local (AV:L) — the attacker is remote but the exploit executes locally on the victim's machine after the malicious file is opened. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9h68-3v3c-5fmj: Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally
ghsa_unreviewed·2025-06-10
CVE-2025-47170 [HIGH] CWE-416 GHSA-9h68-3v3c-5fmj: Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
VulnCheck
Microsoft Office Use After Free
vulncheck·2025·CVSS 7.8
CVE-2025-47170 [HIGH] Microsoft Office Use After Free
Microsoft Office Use After Free
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Affected: Microsoft Office
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://hs-8813571.f.hubspotemail.net/hubfs/8813571/PERISCOPE_VULNINTEL_20250903.pdf
Microsoft
Microsoft Word Remote Code Execution Vulnerability
vendor_msrc·2025-06-10·CVSS 7.8
CVE-2025-47170 [HIGH] CWE-416 Microsoft Word Remote Code Execution Vulnerability
Microsoft Word Remote Code Execution Vulnerability
Description: Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
FAQ: Are the updates for the Microsoft 365 for Office currently available?
The security update for Microsoft 365 are not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information.
FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?
The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an
No detection rules found.
No public exploits indexed.
2025-06-10
Published
Exploited in the wild