

Patchwork APT Group – Active IOCs
June 14, 2025
CVE-2025-33108 – IBM i Vulnerability
June 15, 2025
Patchwork APT Group – Active IOCs
June 14, 2025
CVE-2025-33108 – IBM i Vulnerability
June 15, 2025Severity
High
Analysis Summary
Multiple critical vulnerabilities have been discovered in Microsoft Office, posing significant security risks across Windows, macOS, and Android platforms. The flaws CVE-2025-47162, CVE-2025-47953, CVE-2025-47164, and CVE-2025-47167 each carry a CVSS score of high and impact a wide range of Office versions, including Office 2016, 2019, LTSC 2021/2024, Microsoft 365 Apps for Enterprise, and Office for Android. These vulnerabilities stem from core memory management issues such as heap-based buffer overflow, use-after-free conditions, and type confusion, all of which allow arbitrary code execution if successfully exploited. Security researcher 0x140ce is credited with uncovering the flaws.
CVE-2025-47162 involves a heap-based buffer overflow caused by improper bounds checking in Office’s file parsing routines (CWE-122). Exploitation can occur simply by previewing a malicious document, without user interaction, allowing attackers to overwrite memory and gain control over system execution. CVE-2025-47953 is a use-after-free vulnerability (CWE-641) caused by incorrect resource name validation, where attackers can exploit dangling pointers to execute malicious code. This flaw affects Office on Windows, Mac, and Android, but Microsoft has rated its exploitation as less likely due to the complexity of memory manipulation.
CVE-2025-47164, another use-after-free bug (CWE-416), arises from Office’s failure to properly invalidate pointers after freeing memory. This enables attackers to reuse freed memory locations with injected malicious data. Unlike CVE-2025-47953, this flaw has been marked “Exploitation More Likely” due to predictable memory reuse patterns, affecting all Office editions since 2016. Lastly, CVE-2025-47167 involves a type confusion error (CWE-843), where Office misidentifies object types in malformed documents, leading to memory corruption and code execution. This vulnerability relies on embedding conflicting type metadata to mislead Office’s internal processing logic.
Microsoft released patches for these vulnerabilities on June 10, 2025, through Click-to-Run and traditional update mechanisms. All major Office platforms 32-bit, 64-bit, and Android) are covered, with specific build identifiers such as 16.0.5504.1000 for Office 2016 and 16.98.25060824 for macOS. However, Microsoft 365’s cloud-based updates were not immediately available, with future releases announced via CVE revisions. Given the high severity and exploitability of these vulnerabilities, especially those requiring no user interaction, organizations are strongly urged to deploy the security updates without delay to mitigate the risk of targeted attacks and remote code execution.
Impact
- Code Execution
- Gain Access
Indicators of Compromise
CVE
CVE-2025-47162
CVE-2025-47953
CVE-2025-47164
CVE-2025-47167
Affected Vendors
- Microsoft
Affected Products
- Microsoft Office
Remediation
- Update to apply the appropriate patch for your system, or use the Microsoft Security Update Guide to search for available patches: CVE-2025-47162, CVE-2025-47953, CVE-2025-47164, and CVE-2025-47167
- Ensure your installations match patched build numbers (e.g., 16.0.5504.1000 for Office 2016, 16.98.25060824 for macOS) to confirm successful update deployment.
- Prevent automatic code execution by disabling the Preview Pane for documents, especially in email clients like Outlook.
- Use Group Policy to disable macros in Office files from untrusted locations to reduce automated exploitation vectors.
- Monitor for unusual behavior when opening Office documents—especially those received from external sources and flag suspicious activity for analysis.
- Enable Windows Defender Exploit Guard or third-party EDR solutions to detect heap overflows, use-after-free, and memory corruption attempts.
- For highly secure environments, restrict Office applications from reaching the internet to prevent remote payload delivery.
- Use Windows Defender Application Control or AppLocker to only allow execution of approved Office documents and scripts.
- Monitor Microsoft’s CVE advisories for updates, particularly for Microsoft 365 cloud-based Office apps, where patches may be released later.