A critical Remote Code Execution (RCE) vulnerability has been identified within the Microsoft 365 ecosystem, turning standard spreadsheets into dangerous attack vectors. As detailed by Cybersecurity News, the exploit leverages malicious Excel files to compromise target systems, enabling attackers to execute arbitrary code with the privileges of the logged-in user.

Technical Breakdown: Out-of-Bounds Read

The flaw stems from how Excel handles memory allocation. By manipulating the internal structure of .xls or .xlsx formats, an attacker can trigger an out-of-bounds read, forcing the application to access memory outside its intended buffer. According to GBHackers, this memory corruption allows the attacker to expose sensitive regions and subsequently trigger unauthorized code execution on the victim's machine.

Attack Vectors and Affected Versions

While some of these vulnerabilities are categorized with a local attack vector (AV:L) in CVSS terms, Microsoft classifies them as RCE because the malicious payload is delivered remotely over a network. Common delivery methods include:
  • Phishing emails containing malicious attachments.
  • Web downloads from compromised sources.
  • Shared network storage or removable media.
Affected software includes Microsoft 365 Apps for Enterprise, as well as Office 2019 and Office 2021. Notably, Windows News reports that patches for Office on Mac (LTSC 2021 and 2024) may have faced delays, leaving macOS users temporarily exposed.

A Broader Security Context

This vulnerability is part of a wider trend of security flaws in the Office suite. Recent reports highlight CVE-2026-45471 affecting Microsoft Word, and a debug mode flaw that put billions of Android app downloads (including Excel and PowerPoint) at risk of token theft. These incidents underscore the critical importance of rapid patch management in enterprise environments to mitigate risks stemming from memory corruption and logic errors.