{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-64677", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-11-06T23:40:37.277Z", "datePublished": "2025-12-18T22:02:08.421Z", "dateUpdated": "2026-04-16T14:19:06.932Z"}, "containers": {"cna": {"title": "Office Out-of-Box Experience Spoofing Vulnerability", "datePublic": "2025-12-18T08:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:office_out_of-box_experience:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Office Out-of-Box Experience", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en-US", "type": "CWE", "cweId": "CWE-79"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-16T14:19:06.932Z"}, "references": [{"name": "Office Out-of-Box Experience Spoofing Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64677"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-19T15:11:48.537590Z", "id": "CVE-2025-64677", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-19T15:11:59.523Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-64677", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-19T15:11:48.537590Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-19T15:11:55.194Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Office Out-of-Box Experience Spoofing Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Office Out-of-Box Experience", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2025-12-18T08:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64677", "name": "Office Out-of-Box Experience Spoofing Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:office_out_of-box_experience:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-02-20T15:59:43.534Z"}}}, "cveMetadata": {"cveId": "CVE-2025-64677", "state": "PUBLISHED", "dateUpdated": "2026-02-20T15:59:43.534Z", "dateReserved": "2025-11-06T23:40:37.277Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2025-12-18T22:02:08.421Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:office_out-of-box_experience:-:*:*:*:*:*:*:*", "matchCriteriaId": "56FCF772-986A-4527-8CE3-B67F8B8AEA15", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network."}], "id": "CVE-2025-64677", "lastModified": "2026-01-16T17:28:14.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "secure@microsoft.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-12-18T22:16:01.077", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64677"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "secure@microsoft.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T15:37:25.418783+00:00", "value": {"mitigation_remediation": ["Install the latest Office Out\u2011of\u2011Box Experience update released by Microsoft to eliminate the XSS flaw.", "Configure Office OOBE to reject or sanitize untrusted input, preventing malicious data from being rendered.", "Enable web\u2011filtering or script\u2011blocking solutions that detect and block cross\u2011site scripting attempts in Office OOBE traffic."], "summary": {"action": "Patch Now", "impact": "Unauthorized spoofing via XSS"}, "threat_synthesis": {"affected_systems": "The flaw affects Microsoft Office Out\u2011of\u2011Box Experience. The CVE does not enumerate specific affected versions, so any installation of Office OOBE that has not applied Microsoft\u2019s latest update may be vulnerable.", "description_and_impact": "The vulnerability is an improper neutralization of input during web page generation, classified as a cross\u2011site scripting flaw. An attacker who can supply malicious data to the Office Out\u2011of\u2011Box Experience can cause that data to be rendered unfiltered, allowing the attacker to create forged or misleading content that appears as legitimate Office output. This can mislead users into believing the content is authentic, potentially enabling phishing or social\u2011engineering attacks.", "risk_and_exploitability": "The CVSS score of 8.2 indicates high severity, while the EPSS score of less than 1% suggests that exploitation is currently unlikely but still possible. The vulnerability is not currently listed in the CISA KEV catalog. The likely attack path requires the attacker to supply crafted content that is incorporated into the Office web page rendering process, which could be achieved over a network connection to the Office OOBE service."}}}}, "created": "2026-04-20T15:45:10.379461+00:00", "updated": "2026-04-20T15:45:10.379473+00:00", "vendors": []}