Microsoft Excel RCE Vulnerability Can Be Triggered by a Malicious File
7 min. read 
Published on
Microsoft has patched a remote code execution vulnerability in Excel that can be triggered when a user opens a specially crafted spreadsheet. The flaw is tracked as CVE-2025-60727 and affects Microsoft 365 Apps, standalone Office versions, and Office Online Server.
The vulnerability is listed in the Microsoft Security Update Guide as an Excel code execution issue. It requires user interaction, meaning an attacker must convince the victim to open a malicious file.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The NVD entry for CVE-2025-60727 gives the flaw a CVSS 3.1 score of 7.8, which Microsoft classifies as High severity. There are no public reports of active exploitation in the available data.
What CVE-2025-60727 affects
CVE-2025-60727 is an out-of-bounds read vulnerability in Microsoft Office Excel. This type of memory flaw can make the application read data outside the intended memory boundary while processing a malformed file.
Microsoft’s Office security release notes list CVE-2025-60727 under Excel in the November 11, 2025 security update. The Microsoft Office security update notes apply to Microsoft 365 Apps, Office 2019, Office LTSC 2021, Office 2021, Office LTSC 2024, and Office 2024.
SentinelOne’s vulnerability database also describes the issue as an Excel out-of-bounds read that can lead to local code execution when a user opens a crafted document. The SentinelOne CVE-2025-60727 analysis highlights common delivery paths such as email attachments, file-sharing links, and web downloads.
Affected Microsoft products
| Product | Affected platforms or versions | What administrators should do |
|---|---|---|
| Microsoft 365 Apps for Enterprise | 32-bit and x64 systems | Update through the configured Click-to-Run channel. |
| Microsoft Excel 2016 | 32-bit and x64 systems | Install the latest Excel 2016 security update. |
| Microsoft Office 2019 | 32-bit and x64 systems | Apply the current Office security update. |
| Office LTSC 2021 and Office LTSC 2024 | Windows and Mac versions | Update to the latest supported build. |
| Office Online Server | Versions before the fixed build | Apply the relevant Office Online Server update. |
The National Vulnerability Database says affected software includes Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, Office LTSC for Windows and Mac, and Office Online Server.
NVD also shows that the record was first published on November 11, 2025, and later updated on June 17, 2026. That June update added affected product information and CISA SSVC data.
CISA’s SSVC entry in NVD lists exploitation as none, automatable as no, and technical impact as total. That combination means the flaw has serious impact if exploited, but the available record does not show known exploitation.
How the Excel attack works
An attacker would need to craft a malicious Excel file and deliver it to the victim. Common lures include invoices, financial reports, shipping notices, HR documents, purchase orders, or shared spreadsheet links.
When the victim opens the file in a vulnerable version of Excel or Office, the malformed file can trigger the memory flaw. Successful exploitation can let malicious code run with the same privileges as the signed-in user.
The SentinelOne write-up notes that the attack does not require authentication or elevated privileges. The practical barrier is social engineering, because the user must open the document.
Why this still matters without active exploitation
Document-based attacks remain common because business users open spreadsheets every day. Finance teams, HR staff, sales teams, logistics departments, and executive assistants often receive Excel files from outside the organization.
A high-severity Excel flaw can become more dangerous when attackers combine it with convincing phishing messages. Even without public exploitation reports, organizations should not wait to patch endpoints that regularly handle external documents.
Rapid7’s November 2025 Patch Tuesday review said Microsoft published 66 new vulnerabilities that month, including critical remote code execution issues in other products. The Rapid7 Patch Tuesday summary noted that Microsoft assessed the critical RCE bugs in that release as less likely to be exploited at the time.
Key CVE-2025-60727 details
| Detail | Information |
|---|---|
| CVE ID | CVE-2025-60727 |
| Vulnerability type | Out-of-bounds read |
| CWE | CWE-125 |
| Severity | High |
| CVSS score | 7.8 |
| User interaction | Required |
| Privileges required | None |
| Known active exploitation | No public reports in available data |
The vulnerability is best understood as a local code execution issue that attackers can deliver remotely through phishing or file sharing. The CVSS vector uses local attack vector because the malicious file must be opened on the target system.
That distinction matters for defenders. Blocking a network port will not fix the issue. The more useful controls are patching, email filtering, attachment scanning, Protected View, endpoint monitoring, and least-privilege user accounts.
The Microsoft advisory should remain the primary source for product-specific update guidance, because build numbers and update packages vary across Office channels.
What security teams should monitor
Security teams should watch for suspicious behavior after Excel opens a file. Exploitation attempts may produce unusual process activity, network connections, or crash telemetry tied to EXCEL.EXE.
- Excel spawning command shells, script interpreters, or unusual Windows binaries.
- Outbound network connections created by EXCEL.EXE after a document opens.
- Excel crashes or access violations while opening external files.
- New persistence entries created shortly after a spreadsheet was opened.
- Unexpected files written to user-writable folders after Excel execution.
- Suspicious Excel attachments from external senders or newly created domains.
Administrators should also review endpoint detection alerts involving child processes such as cmd.exe, powershell.exe, wscript.exe, mshta.exe, rundll32.exe, or regsvr32.exe launched from Excel.
How organizations should reduce risk
The most important step is to apply Microsoft’s security updates across all affected Office installations. Microsoft 365 Apps users should confirm that their Click-to-Run channel has received the current security build.
Organizations using standalone Office releases should deploy the relevant Microsoft security updates through Microsoft Update, Windows Server Update Services, Configuration Manager, Intune, or their normal patch management tools.
The Office security update release notes list the Office builds covered by Microsoft’s monthly security releases. Administrators should compare those builds against endpoint inventory rather than assuming all devices updated automatically.
Recommended protections beyond patching
Patching fixes the vulnerable code, but layered controls can reduce exposure to future document-based attacks. These controls matter because attackers often move quickly from one Office flaw to another.
- Keep Protected View enabled for files from the internet.
- Block macros and external content from untrusted sources.
- Use Attack Surface Reduction rules to limit Office child processes.
- Scan attachments and links before delivery to inboxes.
- Restrict Office file handling on high-risk shared workstations.
- Use least-privilege accounts for users who handle external files daily.
- Train employees to verify unexpected invoices, reports, and shared spreadsheets.
Attack Surface Reduction rules can help block common post-exploitation behavior, such as Office apps creating child processes or launching executable content. These rules work best when tested in audit mode before enforcement.
Who should patch first
Organizations should prioritize users who frequently receive external Excel files. Finance, accounting, HR, procurement, logistics, sales operations, legal, and executive support teams face higher exposure because attackers often target them with spreadsheet lures.
Office Online Server also deserves attention because it can process Office documents for web-based viewing and collaboration. Servers that handle files from untrusted users should receive priority in patch planning.
Although CVE-2025-60727 has no public exploitation reports, the combination of file-based delivery and full technical impact makes it important. Patch affected Office builds, keep document protections enabled, and investigate any unusual Excel behavior after opening external files.
FAQ
CVE-2025-60727 is a high-severity out-of-bounds read vulnerability in Microsoft Office Excel that can allow code execution when a user opens a specially crafted Excel file.
The available public data does not show active exploitation. NVD lists exploitation as none in CISA’s SSVC information, but organizations should still patch because the flaw can have serious impact if exploited.
Affected products include Microsoft 365 Apps for Enterprise, Microsoft Excel 2016, Microsoft Office 2019, Office LTSC 2021, Office LTSC 2024, Office LTSC for Mac, and Office Online Server.
An attacker must convince a user to open a malicious Excel file. If the user opens it in a vulnerable Office version, the flaw can allow code to run with that user’s privileges.
Organizations should apply Microsoft’s Office security updates, keep Microsoft 365 Apps current, enable Protected View, block risky external content, use Attack Surface Reduction rules, and monitor suspicious Excel child processes.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages