cvelistv5 - cve-2025-49756

CVE-2025-49756 (GCVE-0-2025-49756)

Vulnerability from cvelistv5

Published

2025-07-08 16:57

Modified

2025-08-23 00:39

Severity ?

3.3 (Low) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

CWE

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Summary

Use of a broken or risky cryptographic algorithm in Office Developer Platform allows an authorized attacker to bypass a security feature locally.

References

URL

	Vendor	Product	Version
	Microsoft	Microsoft 365 Apps for Enterprise	Version: 16.0.1 < https://aka.ms/OfficeSecurityReleases

CERTFR-2025-AVI-0576

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans Microsoft Office. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	N/A	Microsoft Outlook 2016 (édition 32 bits) versions antérieures à 16.0.5508.1002
Microsoft	N/A	Microsoft Office 2016 (édition 64 bits) versions antérieures à 16.0.5508.1001
Microsoft	N/A	Microsoft Office LTSC pour Mac 2024
Microsoft	N/A	Microsoft Word 2016 (édition 32 bits) versions antérieures à 16.0.5508.1001
Microsoft	N/A	Microsoft Office LTSC 2024 pour éditions 64 bits
Microsoft	N/A	Microsoft Office LTSC pour Mac 2021
Microsoft	N/A	Microsoft Office LTSC 2021 pour éditions 32 bits
Microsoft	N/A	Microsoft Office 2019 pour éditions 32 bits
Microsoft	N/A	Microsoft Excel 2016 (édition 64 bits) versions antérieures à 16.0.5508.1001
Microsoft	N/A	Microsoft Word 2016 (édition 32 bits) versions antérieures à 16.0.5508.1000
Microsoft	N/A	Microsoft 365 Apps pour Enterprise pour systèmes 32 bits
Microsoft	N/A	Microsoft Office 2019 pour éditions 64 bits
Microsoft	N/A	Microsoft Office LTSC 2024 pour éditions 32 bits
Microsoft	N/A	Microsoft Word 2016 (édition 64 bits) versions antérieures à 16.0.5508.1001
Microsoft	N/A	Microsoft Outlook 2016 (édition 64 bits) versions antérieures à 16.0.5508.1002
Microsoft	N/A	Microsoft Excel 2016 (édition 32 bits) versions antérieures à 16.0.5508.1001
Microsoft	N/A	Microsoft PowerPoint 2016 (édition 32 bits) versions antérieures à 16.0.5508.1000
Microsoft	N/A	Microsoft Word 2016 (édition 64 bits) versions antérieures à 16.0.5508.1000
Microsoft	N/A	Microsoft Office 2016 (édition 32 bits) versions antérieures à 16.0.5508.1001
Microsoft	N/A	Microsoft Office LTSC 2021 pour éditions 64 bits
Microsoft	N/A	Microsoft PowerPoint 2016 (édition 64 bits) versions antérieures à 16.0.5508.1000
Microsoft	N/A	Microsoft 365 Apps pour Enterprise pour systèmes 64 bits
Microsoft	N/A	Microsoft Office pour Android versions antérieures à 16.0.19029.20000
Microsoft	N/A	Office Online Server versions antérieures à 16.0.10417.20027

References

Title

Publication Time

wid-sec-w-2025-1491

Vulnerability from csaf_certbund

Published

2025-07-08 22:00

Modified

2025-07-22 22:00

Summary

Microsoft Office: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Excel ist ein Tabellenkalkulationsprogramm der Microsoft Office Suite und ist sowohl für Microsoft Windows als auch für Mac OS verfügbar. Microsoft PowerPoint ist ein Programm zum Erstellen und Vorführen von Präsentationen. PowerPoint Viewer ist ein Anzeigeprogramm für PowerPoint Dateien. Microsoft Word ist ein Textverarbeitungsprogramm der Firma Microsoft für die Windows-Betriebssysteme. Die Microsoft Office Suite beinhaltet zahlreiche Büroanwendungen wie Textverarbeitung, Tabellenkalkulation, Datenbank und weitere Applikationen. Outlook ist ein Personal Information Manager von Microsoft und ist Bestandteil der Office Suite. Microsoft Office Online Server ist ein Serverprodukt, das browserbasierte Versionen von Word, PowerPoint, Excel und OneNote bereitstellt. Microsoft Sharepoint Services ist ein Portalsystem für die zentrale Verwaltung von Dokumenten und Anwendungen. Die Inhalte werden u.a. über Webseiten zur Verfügung gestellt. Microsoft Sharepoint ist ein Portalsystem für die zentrale Verwaltung von Dokumenten und Anwendungen. Die Inhalte werden u. a. über Webseiten zur Verfügung gestellt. Microsoft 365 Apps ist eine Office Suite für zahlreiche Büroanwendungen. Microsoft Teams ist ein Kollaborations-, Kommunikations- und Videokonferenz-Tool.

Angriff

Ein entfernter, authentisierter Angreifer oder ein lokaler Angreifer kann mehrere Schwachstellen in Microsoft Excel 2016, Microsoft PowerPoint 2016, Microsoft Word 2016, Microsoft Office 2016, Microsoft Outlook 2016, Microsoft Office Online Server, Microsoft SharePoint, Microsoft Office 2019, Microsoft SharePoint Server 2019, Microsoft 365 Apps, Microsoft Teams und Microsoft Office ausnutzen, um Administratorrechte zu erlangen, um beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, Sicherheitsmaßnahmen zu umgehen und Spoofing-Angriffe durchzuführen.

Betroffene Betriebssysteme

- Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Excel ist ein Tabellenkalkulationsprogramm der Microsoft Office Suite und ist sowohl f\u00fcr Microsoft Windows als auch f\u00fcr Mac OS verf\u00fcgbar.\r\nMicrosoft PowerPoint ist ein Programm zum Erstellen und Vorf\u00fchren von Pr\u00e4sentationen. PowerPoint Viewer ist ein Anzeigeprogramm f\u00fcr PowerPoint Dateien.\r\nMicrosoft Word ist ein Textverarbeitungsprogramm der Firma Microsoft f\u00fcr die Windows-Betriebssysteme.\r\nDie Microsoft Office Suite beinhaltet zahlreiche B\u00fcroanwendungen wie Textverarbeitung, Tabellenkalkulation, Datenbank und weitere Applikationen.\r\nOutlook ist ein Personal Information Manager von Microsoft und ist Bestandteil der Office Suite.\r\nMicrosoft Office Online Server ist ein Serverprodukt, das browserbasierte Versionen von Word, PowerPoint, Excel und OneNote bereitstellt. \r\nMicrosoft Sharepoint Services ist ein Portalsystem f\u00fcr die zentrale Verwaltung von Dokumenten und Anwendungen. Die Inhalte werden u.a. \u00fcber Webseiten zur Verf\u00fcgung gestellt.\r\nMicrosoft Sharepoint ist ein Portalsystem f\u00fcr die zentrale Verwaltung von Dokumenten und Anwendungen. Die Inhalte werden u. a. \u00fcber Webseiten zur Verf\u00fcgung gestellt.\r\nMicrosoft 365 Apps ist eine Office Suite f\u00fcr zahlreiche B\u00fcroanwendungen.\r\nMicrosoft Teams ist ein Kollaborations-, Kommunikations- und Videokonferenz-Tool.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer oder ein lokaler Angreifer kann mehrere Schwachstellen in Microsoft Excel 2016, Microsoft PowerPoint 2016, Microsoft Word 2016, Microsoft Office 2016, Microsoft Outlook 2016, Microsoft Office Online Server, Microsoft SharePoint, Microsoft Office 2019, Microsoft SharePoint Server 2019, Microsoft 365 Apps, Microsoft Teams und Microsoft Office ausnutzen, um Administratorrechte zu erlangen, um beliebigen Code auszuf\u00fchren, vertrauliche Informationen offenzulegen, Sicherheitsma\u00dfnahmen zu umgehen und Spoofing-Angriffe durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1491 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1491.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1491 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1491"
      },
      {
        "category": "external",
        "summary": "Microsoft Leitfaden f\u00fcr Sicherheitsupdates",
        "url": "https://msrc.microsoft.com/update-guide/"
      },
      {
        "category": "external",
        "summary": "CISA Known Exploited Vulnerabilities Catalog vom 2025-07-22",
        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
      }
    ],
    "source_lang": "en-US",
    "title": "Microsoft Office: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-07-22T22:00:00.000+00:00",
      "generator": {
        "date": "2025-07-23T04:56:51.971+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2025-1491",
      "initial_release_date": "2025-07-08T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-07-08T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-07-22T22:00:00.000+00:00",
          "number": "2",
          "summary": "CVE-2025-49704 und CVE-2025-49706 werden ausgenutzt"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Microsoft 365 Apps",
            "product": {
              "name": "Microsoft 365 Apps",
              "product_id": "T045185",
              "product_identification_helper": {
                "cpe": "cpe:/a:microsoft:365_apps:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Microsoft Excel 2016",
            "product": {
              "name": "Microsoft Excel 2016",
              "product_id": "T045176",
              "product_identification_helper": {
                "cpe": "cpe:/a:microsoft:excel_2016:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "for Android",
                "product": {
                  "name": "Microsoft Office for Android",
                  "product_id": "T043649",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:office:for_android"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "LTSC for Mac 2021",
                "product": {
                  "name": "Microsoft Office LTSC for Mac 2021",
                  "product_id": "T045187",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:office:ltsc_for_mac_2021"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "LTSC 2021",
                "product": {
                  "name": "Microsoft Office LTSC 2021",
                  "product_id": "T045188",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:office:ltsc_2021"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "LTSC 2024",
                "product": {
                  "name": "Microsoft Office LTSC 2024",
                  "product_id": "T045191",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:office:ltsc_2024"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "LTSC for Mac 2024",
                "product": {
                  "name": "Microsoft Office LTSC for Mac 2024",
                  "product_id": "T045192",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:office:ltsc_for_mac_2024"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Office"
          },
          {
            "category": "product_name",
            "name": "Microsoft Office 2016",
            "product": {
              "name": "Microsoft Office 2016",
              "product_id": "T045179",
              "product_identification_helper": {
                "cpe": "cpe:/a:microsoft:office_2016:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Microsoft Office 2019",
            "product": {
              "name": "Microsoft Office 2019",
              "product_id": "T045183",
              "product_identification_helper": {
                "cpe": "cpe:/a:microsoft:office_2019:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Microsoft Office Online Server",
            "product": {
              "name": "Microsoft Office Online Server",
              "product_id": "T045181",
              "product_identification_helper": {
                "cpe": "cpe:/a:microsoft:office_online_server:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Microsoft Outlook 2016",
            "product": {
              "name": "Microsoft Outlook 2016",
              "product_id": "T045180",
              "product_identification_helper": {
                "cpe": "cpe:/a:microsoft:outlook_2016:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Microsoft PowerPoint 2016",
            "product": {
              "name": "Microsoft PowerPoint 2016",
              "product_id": "T045177",
              "product_identification_helper": {
                "cpe": "cpe:/a:microsoft:powerpoint_2016:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Enterprise Server 2016",
                "product": {
                  "name": "Microsoft SharePoint Enterprise Server 2016",
                  "product_id": "T045182",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:sharepoint:enterprise_server_2016"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Server Subscription Edition",
                "product": {
                  "name": "Microsoft SharePoint Server Subscription Edition",
                  "product_id": "T045189",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:sharepoint:server_subscription_edition"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "SharePoint"
          },
          {
            "category": "product_name",
            "name": "Microsoft SharePoint Server 2019",
            "product": {
              "name": "Microsoft SharePoint Server 2019",
              "product_id": "T045184",
              "product_identification_helper": {
                "cpe": "cpe:/a:microsoft:sharepoint_server_2019:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "for Desktop",
                "product": {
                  "name": "Microsoft Teams for Desktop",
                  "product_id": "T029139",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:teams:for_desktop"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "for Mac",
                "product": {
                  "name": "Microsoft Teams for Mac",
                  "product_id": "T029140",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:teams:for_mac"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "for iOS",
                "product": {
                  "name": "Microsoft Teams for iOS",
                  "product_id": "T045186",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:teams:for_ios"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "for Android",
                "product": {
                  "name": "Microsoft Teams for Android",
                  "product_id": "T045190",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:teams:for_android"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Teams"
          },
          {
            "category": "product_name",
            "name": "Microsoft Word 2016",
            "product": {
              "name": "Microsoft Word 2016",
              "product_id": "T045178",
              "product_identification_helper": {
                "cpe": "cpe:/a:microsoft:word_2016:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-47994",
      "product_status": {
        "known_affected": [
          "T045190",
          "T045181",
          "T045192",
          "T029140",
          "T045180",
          "T045191",
          "T045183",
          "T045182",
          "T043649",
          "T045185",
          "T045184",
          "T045176",
          "T045187",
          "T029139",
          "T045186",
          "T045178",
          "T045189",
          "T045177",
          "T045188",
          "T045179"
        ]
      },
      "release_date": "2025-07-08T22:00:00.000+00:00",
      "title": "CVE-2025-47994"
    },
    {
      "cve": "CVE-2025-48812",
      "product_status": {
        "known_affected": [
          "T045190",
          "T045181",
          "T045192",
          "T029140",
          "T045180",
          "T045191",
          "T045183",
          "T045182",
          "T043649",
          "T045185",
          "T045184",
          "T045176",
          "T045187",
          "T029139",
          "T045186",
          "T045178",
          "T045189",
          "T045177",
          "T045188",
          "T045179"
        ]
      },
      "release_date": "2025-07-08T22:00:00.000+00:00",
      "title": "CVE-2025-48812"
    },
    {
      "cve": "CVE-2025-49695",
      "product_status": {
        "known_affected": [
          "T045190",
          "T045181",
          "T045192",
          "T029140",
          "T045180",
          "T045191",
          "T045183",
          "T045182",
          "T043649",
          "T045185",
          "T045184",
          "T045176",
          "T045187",
          "T029139",
          "T045186",
          "T045178",
          "T045189",
          "T045177",
          "T045188",
          "T045179"
        ]
      },
      "release_date": "2025-07-08T22:00:00.000+00:00",
      "title": "CVE-2025-49695"
    },
    {
      "cve": "CVE-2025-49696",
      "product_status": {
        "known_affected": [
          "T045190",
          "T045181",
          "T045192",
          "T029140",
          "T045180",
          "T045191",
          "T045183",
          "T045182",
          "T043649",
          "T045185",
          "T045184",
          "T045176",
          "T045187",
          "T029139",
          "T045186",
          "T045178",
          "T045189",
          "T045177",
          "T045188",
          "T045179"
        ]
      },
      "release_date": "2025-07-08T22:00:00.000+00:00",
      "title": "CVE-2025-49696"
    },
    {
      "cve": "CVE-2025-49697",
      "product_status": {
        "known_affected": [
          "T045190",
          "T045181",
          "T045192",
          "T029140",
          "T045180",
          "T045191",
          "T045183",
          "T045182",
          "T043649",
          "T045185",
          "T045184",
          "T045176",
          "T045187",
          "T029139",
          "T045186",
          "T045178",
          "T045189",
          "T045177",
          "T045188",
          "T045179"
        ]
      },
      "release_date": "2025-07-08T22:00:00.000+00:00",
      "title": "CVE-2025-49697"
    },
    {
      "cve": "CVE-2025-49698",
      "product_status": {
        "known_affected": [
          "T045190",
          "T045181",
          "T045192",
          "T029140",
          "T045180",
          "T045191",
          "T045183",
          "T045182",
          "T043649",
          "T045185",
          "T045184",
          "T045176",
          "T045187",
          "T029139",
          "T045186",
          "T045178",
          "T045189",
          "T045177",
          "T045188",
          "T045179"
        ]
      },
      "release_date": "2025-07-08T22:00:00.000+00:00",
      "title": "CVE-2025-49698"
    },
    {
      "cve": "CVE-2025-49699",
      "product_status": {
        "known_affected": [
          "T045190",
          "T045181",
          "T045192",
          "T029140",
          "T045180",
          "T045191",
          "T045183",
          "T045182",
          "T043649",
          "T045185",
          "T045184",
          "T045176",
          "T045187",
          "T029139",
          "T045186",
          "T045178",
          "T045189",
          "T045177",
          "T045188",
          "T045179"
        ]
      },
      "release_date": "2025-07-08T22:00:00.000+00:00",
      "title": "CVE-2025-49699"
    },
    {
      "cve": "CVE-2025-49700",
      "product_status": {
        "known_affected": [
          "T045190",
          "T045181",
          "T045192",
          "T029140",
          "T045180",
          "T045191",
          "T045183",
          "T045182",
          "T043649",
          "T045185",
          "T045184",
          "T045176",
          "T045187",
          "T029139",
          "T045186",
          "T045178",
          "T045189",
          "T045177",
          "T045188",
          "T045179"
        ]
      },
      "release_date": "2025-07-08T22:00:00.000+00:00",
      "title": "CVE-2025-49700"
    },
    {
      "cve": "CVE-2025-49701",
      "product_status": {
        "known_affected": [
          "T045190",
          "T045181",
          "T045192",
          "T029140",
          "T045180",
          "T045191",
          "T045183",
          "T045182",
          "T043649",
          "T045185",
          "T045184",
          "T045176",
          "T045187",
          "T029139",
          "T045186",
          "T045178",
          "T045189",
          "T045177",
          "T045188",
          "T045179"
        ]
      },
      "release_date": "2025-07-08T22:00:00.000+00:00",
      "title": "CVE-2025-49701"
    },
    {
      "cve": "CVE-2025-49702",
      "product_status": {
        "known_affected": [
          "T045190",
          "T045181",
          "T045192",
          "T029140",
          "T045180",
          "T045191",
          "T045183",
          "T045182",
          "T043649",
          "T045185",
          "T045184",
          "T045176",
          "T045187",
          "T029139",
          "T045186",
          "T045178",
          "T045189",
          "T045177",
          "T045188",
          "T045179"
        ]
      },
      "release_date": "2025-07-08T22:00:00.000+00:00",
      "title": "CVE-2025-49702"
    },
    {
      "cve": "CVE-2025-49703",
      "product_status": {
        "known_affected": [
          "T045190",
          "T045181",
          "T045192",
          "T029140",
          "T045180",
          "T045191",
          "T045183",
          "T045182",
          "T043649",
          "T045185",
          "T045184",
          "T045176",
          "T045187",
          "T029139",
          "T045186",
          "T045178",
          "T045189",
          "T045177",
          "T045188",
          "T045179"
        ]
      },
      "release_date": "2025-07-08T22:00:00.000+00:00",
      "title": "CVE-2025-49703"
    },
    {
      "cve": "CVE-2025-49704",
      "product_status": {
        "known_affected": [
          "T045190",
          "T045181",
          "T045192",
          "T029140",
          "T045180",
          "T045191",
          "T045183",
          "T045182",
          "T043649",
          "T045185",
          "T045184",
          "T045176",
          "T045187",
          "T029139",
          "T045186",
          "T045178",
          "T045189",
          "T045177",
          "T045188",
          "T045179"
        ]
      },
      "release_date": "2025-07-08T22:00:00.000+00:00",
      "title": "CVE-2025-49704"
    },
    {
      "cve": "CVE-2025-49705",
      "product_status": {
        "known_affected": [
          "T045190",
          "T045181",
          "T045192",
          "T029140",
          "T045180",
          "T045191",
          "T045183",
          "T045182",
          "T043649",
          "T045185",
          "T045184",
          "T045176",
          "T045187",
          "T029139",
          "T045186",
          "T045178",
          "T045189",
          "T045177",
          "T045188",
          "T045179"
        ]
      },
      "release_date": "2025-07-08T22:00:00.000+00:00",
      "title": "CVE-2025-49705"
    },
    {
      "cve": "CVE-2025-49706",
      "product_status": {
        "known_affected": [
          "T045190",
          "T045181",
          "T045192",
          "T029140",
          "T045180",
          "T045191",
          "T045183",
          "T045182",
          "T043649",
          "T045185",
          "T045184",
          "T045176",
          "T045187",
          "T029139",
          "T045186",
          "T045178",
          "T045189",
          "T045177",
          "T045188",
          "T045179"
        ]
      },
      "release_date": "2025-07-08T22:00:00.000+00:00",
      "title": "CVE-2025-49706"
    },
    {
      "cve": "CVE-2025-49711",
      "product_status": {
        "known_affected": [
          "T045190",
          "T045181",
          "T045192",
          "T029140",
          "T045180",
          "T045191",
          "T045183",
          "T045182",
          "T043649",
          "T045185",
          "T045184",
          "T045176",
          "T045187",
          "T029139",
          "T045186",
          "T045178",
          "T045189",
          "T045177",
          "T045188",
          "T045179"
        ]
      },
      "release_date": "2025-07-08T22:00:00.000+00:00",
      "title": "CVE-2025-49711"
    },
    {
      "cve": "CVE-2025-49731",
      "product_status": {
        "known_affected": [
          "T045190",
          "T045181",
          "T045192",
          "T029140",
          "T045180",
          "T045191",
          "T045183",
          "T045182",
          "T043649",
          "T045185",
          "T045184",
          "T045176",
          "T045187",
          "T029139",
          "T045186",
          "T045178",
          "T045189",
          "T045177",
          "T045188",
          "T045179"
        ]
      },
      "release_date": "2025-07-08T22:00:00.000+00:00",
      "title": "CVE-2025-49731"
    },
    {
      "cve": "CVE-2025-49737",
      "product_status": {
        "known_affected": [
          "T045190",
          "T045181",
          "T045192",
          "T029140",
          "T045180",
          "T045191",
          "T045183",
          "T045182",
          "T043649",
          "T045185",
          "T045184",
          "T045176",
          "T045187",
          "T029139",
          "T045186",
          "T045178",
          "T045189",
          "T045177",
          "T045188",
          "T045179"
        ]
      },
      "release_date": "2025-07-08T22:00:00.000+00:00",
      "title": "CVE-2025-49737"
    },
    {
      "cve": "CVE-2025-49756",
      "product_status": {
        "known_affected": [
          "T045190",
          "T045181",
          "T045192",
          "T029140",
          "T045180",
          "T045191",
          "T045183",
          "T045182",
          "T043649",
          "T045185",
          "T045184",
          "T045176",
          "T045187",
          "T029139",
          "T045186",
          "T045178",
          "T045189",
          "T045177",
          "T045188",
          "T045179"
        ]
      },
      "release_date": "2025-07-08T22:00:00.000+00:00",
      "title": "CVE-2025-49756"
    }
  ]
}

fkie_cve-2025-49756

Vulnerability from fkie_nvd

Published

2025-07-08 17:16

Modified

2025-07-10 13:18

Severity ?

3.3 (Low) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Summary

Use of a broken or risky cryptographic algorithm in Office Developer Platform allows an authorized attacker to bypass a security feature locally.

References

	URL	Tags
	secure@microsoft.com	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49756

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Use of a broken or risky cryptographic algorithm in Office Developer Platform allows an authorized attacker to bypass a security feature locally."
    },
    {
      "lang": "es",
      "value": "El uso de un algoritmo criptogr\u00e1fico roto o riesgoso en Office Developer Platform permite a un atacante autorizado eludir una funci\u00f3n de seguridad localmente."
    }
  ],
  "id": "CVE-2025-49756",
  "lastModified": "2025-07-10T13:18:53.830",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 3.3,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 0.8,
        "impactScore": 2.5,
        "source": "secure@microsoft.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-07-08T17:16:04.020",
  "references": [
    {
      "source": "secure@microsoft.com",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49756"
    }
  ],
  "sourceIdentifier": "secure@microsoft.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-327"
        }
      ],
      "source": "secure@microsoft.com",
      "type": "Primary"
    }
  ]
}

ghsa-gfj7-mwjw-jmhf

Vulnerability from github

Published

2025-07-08 18:31

Modified

2025-07-08 18:31

Severity ?

3.3 (Low) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Details

Use of a broken or risky cryptographic algorithm in Office Developer Platform allows an authorized attacker to bypass a security feature locally.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-49756"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-327"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-08T17:16:04Z",
    "severity": "LOW"
  },
  "details": "Use of a broken or risky cryptographic algorithm in Office Developer Platform allows an authorized attacker to bypass a security feature locally.",
  "id": "GHSA-gfj7-mwjw-jmhf",
  "modified": "2025-07-08T18:31:51Z",
  "published": "2025-07-08T18:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49756"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49756"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

msrc_cve-2025-49756

Vulnerability from csaf_microsoft

Published

2025-07-08 07:00

Modified

2025-07-08 07:00

Summary

Office Developer Platform Security Feature Bypass Vulnerability

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Customer Action

Required. The vulnerability documented by this CVE requires customer action to resolve.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Anonymous with Microsoft"
        ]
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      },
      {
        "category": "general",
        "text": "Required. The vulnerability documented by this CVE requires customer action to resolve.",
        "title": "Customer Action"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2025-49756 Office Developer Platform Security Feature Bypass Vulnerability - HTML",
        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49756"
      },
      {
        "category": "self",
        "summary": "CVE-2025-49756 Office Developer Platform Security Feature Bypass Vulnerability - CSAF",
        "url": "https://msrc.microsoft.com/csaf/advisories/2025/msrc_cve-2025-49756.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Exploitability Index",
        "url": "https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Office Developer Platform Security Feature Bypass Vulnerability",
    "tracking": {
      "current_release_date": "2025-07-08T07:00:00.000Z",
      "generator": {
        "date": "2025-08-23T00:39:18.797Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2025-49756",
      "initial_release_date": "2025-07-08T07:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-07-08T07:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003chttps://aka.ms/OfficeSecurityReleases",
            "product": {
              "name": "Microsoft 365 Apps for Enterprise for 32-bit Systems \u003chttps://aka.ms/OfficeSecurityReleases",
              "product_id": "2"
            }
          },
          {
            "category": "product_version",
            "name": "https://aka.ms/OfficeSecurityReleases",
            "product": {
              "name": "Microsoft 365 Apps for Enterprise for 32-bit Systems https://aka.ms/OfficeSecurityReleases",
              "product_id": "11762"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft 365 Apps for Enterprise for 32-bit Systems"
      },
      {
        "branches": [
          {
            "category": "product_version_range",
            "name": "\u003chttps://aka.ms/OfficeSecurityReleases",
            "product": {
              "name": "Microsoft 365 Apps for Enterprise for 64-bit Systems \u003chttps://aka.ms/OfficeSecurityReleases",
              "product_id": "1"
            }
          },
          {
            "category": "product_version",
            "name": "https://aka.ms/OfficeSecurityReleases",
            "product": {
              "name": "Microsoft 365 Apps for Enterprise for 64-bit Systems https://aka.ms/OfficeSecurityReleases",
              "product_id": "11763"
            }
          }
        ],
        "category": "product_name",
        "name": "Microsoft 365 Apps for Enterprise for 64-bit Systems"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-49756",
      "cwe": {
        "id": "CWE-327",
        "name": "Use of a Broken or Risky Cryptographic Algorithm"
      },
      "notes": [
        {
          "category": "general",
          "text": "Microsoft",
          "title": "Assigning CNA"
        },
        {
          "category": "faq",
          "text": "To successfully exploit this vulnerability, an attacker would need to gain elevated privileges enabling them to perform file operations in directories they would not normally be able to access or perform.",
          "title": "According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?"
        },
        {
          "category": "faq",
          "text": "The attack itself is carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer.",
          "title": "According to the CVSS metric, the attack vector is local (AV:L), privileges are required (PR:L) and user interaction is required (UI:R). How could an attacker exploit this security feature bypass vulnerability?"
        },
        {
          "category": "faq",
          "text": "An attacker is only able to compromise files that they were allowed access to as part of their initial privilege but cannot affect the availability of the browser.",
          "title": "According to the CVSS metric, Confidentiality and Integrity are rated as Low and Availability is None (C:L, I:L, A:N). What does that mean for this vulnerability?"
        },
        {
          "category": "faq",
          "text": "To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.\nAdditionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.",
          "title": "How could an attacker exploit this vulnerability?"
        },
        {
          "category": "faq",
          "text": "An attacker who successfully exploited this vulnerability could bypass the Office Visual Basic for Applications (VBA) signature scheme.",
          "title": "What kind of security feature could be bypassed by successfully exploiting this vulnerability?"
        },
        {
          "category": "faq",
          "text": "No, the Preview Pane is not an attack vector.",
          "title": "Is the Preview Pane an attack vector for this vulnerability?"
        }
      ],
      "product_status": {
        "fixed": [
          "11762",
          "11763"
        ],
        "known_affected": [
          "1",
          "2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-49756 Office Developer Platform Security Feature Bypass Vulnerability - HTML",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49756"
        },
        {
          "category": "self",
          "summary": "CVE-2025-49756 Office Developer Platform Security Feature Bypass Vulnerability - CSAF",
          "url": "https://msrc.microsoft.com/csaf/advisories/2025/msrc_cve-2025-49756.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-07-08T07:00:00.000Z",
          "details": "https://aka.ms/OfficeSecurityReleases:Security Update:https://docs.microsoft.com/en-us/officeupdates/office365-proplus-security-updates",
          "product_ids": [
            "2",
            "1"
          ],
          "url": "https://docs.microsoft.com/en-us/officeupdates/office365-proplus-security-updates"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "environmentalsScore": 0.0,
            "exploitCodeMaturity": "UNPROVEN",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "remediationLevel": "OFFICIAL_FIX",
            "reportConfidence": "CONFIRMED",
            "scope": "UNCHANGED",
            "temporalScore": 2.9,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "products": [
            "1",
            "2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Security Feature Bypass"
        },
        {
          "category": "exploit_status",
          "details": "Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely"
        }
      ],
      "title": "Office Developer Platform Security Feature Bypass Vulnerability"
    }
  ]
}

cnvd-2025-16875

Vulnerability from cnvd

Title

Microsoft Office 365加密问题漏洞

Description

Microsoft Office 365是美国微软（Microsoft）公司的一款办公软件套件产品。该产品常用组件包括Word、Excel、Access、Powerpoint、FrontPage等。 Microsoft Office 365存在安全漏洞。攻击者利用该漏洞可以绕过某些功能。

Severity

低

Patch Name

Microsoft Office 365加密问题漏洞的补丁

Patch Description

Microsoft Office 365是美国微软（Microsoft）公司的一款办公软件套件产品。该产品常用组件包括Word、Excel、Access、Powerpoint、FrontPage等。 Microsoft Office 365存在安全漏洞。攻击者利用该漏洞可以绕过某些功能。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49756

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-49756

Impacted products

Name
Microsoft 365 Apps for Enterprise

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-49756",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-49756"
    }
  },
  "description": "Microsoft Office 365\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u529e\u516c\u8f6f\u4ef6\u5957\u4ef6\u4ea7\u54c1\u3002\u8be5\u4ea7\u54c1\u5e38\u7528\u7ec4\u4ef6\u5305\u62ecWord\u3001Excel\u3001Access\u3001Powerpoint\u3001FrontPage\u7b49\u3002\n\nMicrosoft Office 365\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u7ed5\u8fc7\u67d0\u4e9b\u529f\u80fd\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49756",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-16875",
  "openTime": "2025-07-21",
  "patchDescription": "Microsoft Office 365\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u529e\u516c\u8f6f\u4ef6\u5957\u4ef6\u4ea7\u54c1\u3002\u8be5\u4ea7\u54c1\u5e38\u7528\u7ec4\u4ef6\u5305\u62ecWord\u3001Excel\u3001Access\u3001Powerpoint\u3001FrontPage\u7b49\u3002\r\n\r\nMicrosoft Office 365\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u7ed5\u8fc7\u67d0\u4e9b\u529f\u80fd\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Microsoft Office 365\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Microsoft 365 Apps for Enterprise"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-49756",
  "serverity": "\u4f4e",
  "submitTime": "2025-07-21",
  "title": "Microsoft Office 365\u52a0\u5bc6\u95ee\u9898\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-49756 (GCVE-0-2025-49756)

Vulnerability from cvelistv5

CERTFR-2025-AVI-0576

Vulnerability from certfr_avis

Solutions

wid-sec-w-2025-1491

Vulnerability from csaf_certbund

fkie_cve-2025-49756

Vulnerability from fkie_nvd

ghsa-gfj7-mwjw-jmhf

Vulnerability from github

msrc_cve-2025-49756

Vulnerability from csaf_microsoft

cnvd-2025-16875

Vulnerability from cnvd

Tags

Sightings

Nomenclature