Microsoft’s July 2026 security updates for Office include a fix for a high-severity vulnerability in Excel that could let an attacker take over a PC just by convincing someone to open a specially crafted spreadsheet. The flaw, tracked as CVE-2026-55025 and rated 7.8 on the CVSS scale, affects nearly every supported version of Excel, from Office 2016 to the latest Microsoft 365 subscription.
A Code-Execution Bug in Excel’s Parsing Engine
CVE-2026-55025 is a type-confusion vulnerability (CWE-843) in Microsoft Office Excel. When the application processes a maliciously crafted file, it mishandles certain data types, leading to memory corruption. An attacker can exploit that corruption to execute arbitrary code in the security context of the current user. Unlike some Office vulnerabilities that rely on legacy macros, this one targets deeper parsing logic, meaning disabling macros alone won’t stop it.
The patch closes the hole across a wide range of products: Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and corresponding Mac and Office Online Server editions. Affected installations should be updated to these versions or later:
- Excel 2016: 16.0.5561.1001
- Office Online Server: 16.0.10417.20175
- Mac editions: 16.111.26071215
- Microsoft 365 Apps, Office 2019, and LTSC releases: patched through their respective Click-to-Run or volume-licensed channels.
The Attack Path: One Click Away from Compromise
Exploiting CVE-2026-55025 requires user interaction: a victim must open a weaponized workbook. That file can arrive through email, messaging apps, shared drives, malicious websites, or even a USB stick. Once Excel parses the file, the type confusion triggers, and the attacker’s code runs. Simply previewing the file in Windows Explorer is not enough to cause harm; the file must be loaded by the Excel process.
This attack chain is common for Office-based exploits, but the consequences are severe. With code execution at the user’s privilege level, an attacker can read sensitive documents, modify data, install malware, or move laterally across a network. The risk is higher for users with administrative rights or access to critical file shares.
What Makes This Flaw So Dangerous
The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) breaks down the technical details. “Local” attack vector means the vulnerable component runs on the target machine, but it does not mean the attacker needs physical access. The attacker can be continents away, while the malicious file triggers exploitation locally. Microsoft labels the flaw as a remote code execution to highlight that an external actor can gain control of your system — even though the actual exploit fires on your PC.
With a base score of 7.8, this vulnerability ticks all the dangerous boxes: low attack complexity, no prior privileges needed, and high impact to confidentiality, integrity, and availability. A successful attack can read, write, or destroy data; the only saving grace is that it cannot jump from Excel’s security scope to a higher one (S:U, meaning scope is unchanged).
Why ‘Local’ Doesn’t Mean You’re Safe
There’s often confusion when a CVE title says “remote code execution” but the CVSS vector says “AV:L.” The key distinction is where the code runs, not where the attacker sits. Exploitation happens locally because Excel is not a network-facing service; you can’t just send it a malicious packet and gain access. Instead, the attacker must deliver a file that Excel will process on your computer. That file can come from an email, a website download, or any other Internet-connected source — making the attacker effectively remote even though the vulnerability itself is triggered locally.
This is Microsoft’s official explanation, directly from the Security Update Guide: the word “Remote” refers to the attacker’s location. In practical terms, if you receive a malicious spreadsheet from a stranger online and open it, you’ve just invited a remote attack onto your local machine. Don’t let the “Local” label lull you into a false sense of safety.
Built-in Defenses That Help—But Don’t Replace Patching
Microsoft 365 includes multiple layers of protection that can blunt or block this type of attack. Protected View opens downloaded and email attachments in a sandboxed, read-only mode that limits the damage even if the file is malicious. The Mark of the Web (MoTW) tagging also forces Protected View for files of unknown origin. Application Guard for Office goes further, opening suspicious documents inside a hardware-isolated container.
For enterprise environments, Attack Surface Reduction (ASR) rules, email filtering, and endpoint detection and response (EDR) tools can flag or quarantine suspicious Office files. Windows Defender and third-party antivirus products are likely to detect known patterns shortly after a patch is released.
But none of these are foolproof. Protected View can be bypassed if MoTW is stripped from a file—a common issue with archive tools, document management platforms, or misconfigured SharePoint libraries. And because this vulnerability doesn’t require macros, turning off VBA execution offers no protection. The only reliable fix is applying the July 14 security update.
Immediate Steps for IT Administrators
Patch deployment should be your first move. For Click-to-Run installations (Microsoft 365 Apps, Office 2019, LTSC), updates are typically automatic via Windows Update or the Office deployment tool. Volume-licensed products like Office 2016 may need manual updates through Microsoft Update Catalog or your patch management solution. After installing, verify the application build number rather than trusting a “success” status alone. Here’s what to check:
- Excel 2016: File > Account > About Excel → build 16.0.5561.1001 or higher.
- Office Online Server: Use the central administration console to confirm 16.0.10417.20175 or later.
- Mac: Run Excel, then Help > Check for Updates, and confirm version 16.111.26071215+.
For environments with disconnected systems or persistent virtual desktop images, make sure your offline update packages and master images include this fix. Also scan for any custom line-of-business add-ins or integrations that could interfere with the update process.
Consider enabling ASR rules if you haven’t already, especially “Block Office applications from creating child processes” and “Block Office applications from injecting code into other processes,” which can limit the post-exploitation blast radius. Educate users to treat unexpected Excel attachments with suspicion, even if they come from known senders.
Looking Ahead: The Continuous Office Threat Landscape
No public reports of active exploitation of CVE-2026-55025 have surfaced yet, but that’s typical for vulnerabilities patched during a regular security update cycle. The window from patch release to reverse-engineering and exploitation in the wild can be measured in days, not weeks. Attackers know that many organizations lag in deploying Office updates, and they’ll move quickly to weaponize the flaw.
Office remains a favorite target precisely because of its ubiquity and the mundane trust users place in spreadsheets, documents, and presentations. This isn’t the first type-confusion bug in Excel, and it won’t be the last. Keeping automatic updates turned on for your Microsoft 365 subscription is the simplest defense; enterprise admins should maintain a disciplined patching cadence and monitor Microsoft’s security advisories for any out-of-band releases.
For now, open your Office apps, check for updates, and make sure today’s critical patch is installed. A single unpatched Excel installation on any machine in your environment could be the entry point someone is waiting for.