Critical Office security bug fixes for June

Among Microsoft’s June security bug fixes there are some that directly affect Microsoft Office users. These three caught our eye. Two are rated as High risk while another is Critical, though we’d suggest ‘Unforgivable’ is a better word.

Power Automate Privilege Escalation Vulnerability

CVE-2025-47966

CVSS score: Critical 9.8 out of 10.

Via a leakage of sensitive information in Power Automate, attackers can obtain sensitive information and achieve privilege escalation.  This is unforgivable from a company that supposed to be so security conscious.

There’s no patch for this bug because it’s a fault in the cloud software.

Microsoft details page

Microsoft Word Remote Code Execution Vulnerability

CVE-2025-47957

CVSS score: High 8.4.

Due to a “use after release” problem in Word, an unauthenticated attacker can execute code locally.

Affects:

• Office LTSC 2024 for 64-bit and 32-bit editions
• Office LTSC 2021 for 64-bit and 32-bit editions
• Microsoft 365 Apps for Enterprise for 64-bit and 32-bit systems

Microsoft’s details page.

Microsoft Word Remote Code Execution Vulnerability

CVE-2025-32717

CVSS score: High 8.4.

Yet another security problem with RTF files.  A hacker can make an RTF file that takes advantage of a Word remote code execution vulnerability. This patch fixes a heap-based buffer overflow vulnerability in Word that can execute code on a computer.

Affects:

• Microsoft 365 Apps for Enterprise for 64-bit and 32-bit systems

Microsoft’s details page.

Other Office security fixes for June 2025