Microsoft Office 365 users face a critical remote code execution flaw. CVE‑2026‑43619 allows attackers to execute arbitrary code via crafted Office documents. Immediate action: update to the latest Office 365 build, apply the security update, and enable the Office 365 Advanced Threat Protection (ATP) sandboxing feature.
CVE‑2026‑43619: Remote Code Execution in Office 365
Impact
- Office 365 users worldwide.
- CVSS score 9.8 – critical.
- Exploits via malicious Word/Excel/PowerPoint files.
- Attacker gains full user privileges on the host.
Technical Details
The vulnerability resides in the Office XML parser. When a specially crafted Office Open XML (OOXML) file is opened, the parser fails to validate the SharedStringTable element. The malformed XML triggers a buffer overflow in the SharedStringTable::Load routine, allowing arbitrary memory writes. Attackers can inject shellcode into the overflow region, which is then executed with the privileges of the current user.
The flaw is present in Office 365 versions 2308, 2309, and 2310. The affected components are:
Microsoft.Office.Core.dllMicrosoft.Office.Interop.Word.dllMicrosoft.Office.Interop.Excel.dll
The vulnerability was discovered by an external security researcher and reported to Microsoft on 2026‑04‑12. Microsoft released a security update on 2026‑04‑28.
Mitigation Steps
- Update Immediately – Install the latest Office 365 update. Download from the Microsoft Update Catalog.
- Enable ATP Sandbox – Turn on Office 365 Advanced Threat Protection. Follow the guide at Microsoft Defender ATP.
- Block Malicious Attachments – Configure Exchange Online Protection to quarantine suspicious Office files. Use the policy editor:
Set-TransportConfig -AttachmentFilteringEnabled $true. - Educate Users – Train staff to verify document sources before opening. Use the “Open in Browser” option for untrusted files.
- Monitor for Exploits – Deploy endpoint detection and response (EDR) solutions. Watch for
SharedStringTablememory corruption events.
Timeline
- 2026‑04‑12 – Vulnerability reported.
- 2026‑04‑20 – Microsoft issued a security advisory.
- 2026‑04‑28 – Security update released.
- 2026‑05‑05 – Patch rollout completed for 95% of customers.
Conclusion
CVE‑2026‑43619 is a high‑risk flaw that can be exploited without user interaction if a malicious Office file is opened. Immediate patching and enabling of ATP sandboxing are mandatory. Failure to act exposes organizations to full system compromise.
For detailed patch notes, visit the Microsoft Security Update Guide.
Comments
Please log in or register to join the discussion