CVE-2025-53766

FAQ

According to the CVSS metric, the privilege required is none (PR:N) and user interaction is none (UI:N). What does that mean for this vulnerability?

An attacker doesn't require any privileges on the systems hosting the web services. Successful exploitation of this vulnerability could cause Remote Code Execution or Information Disclosure on web services that are parsing documents that contain a specially crafted metafile, without the involvement of a victim user.

According to the CVSS metric, the attack vector is network (AV:N). How could an attacker exploit the vulnerability?

An attacker could trigger this vulnerability by convincing a victim to download and open a document that contains a specially crafted metafile. In the worst-case scenario, an attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile (AV:N) without user interaction. When multiple attack vectors can be used, we assign a score based on the scenario with the higher risk.

Is the Preview Pane an attack vector for this vulnerability?

No, the Preview Pane is not an attack vector.