December 2025 Windows Updates brought a patch for CVE-2025-62552, a remote code execution vulnerability in Microsoft Access that could
allow a remote attacker to have their malicious code executed on user's computer upon opening a Word file with an Access database connection.
The vulnerability was discovered and reported to Microsoft by security researcher Alberto Bruscino. Alberto subsequently published a detailed article, and shared their POC with us, which allowed us to reproduce the vulnerability and create patches for it.
The Vulnerability
The
vulnerability is in the way Microsoft Access creates a database file in an ODBC connection, whereby a malicious Word file with an Access database connection (such as via the "mail merge" functionality) can create an arbitrary Word file in an Office-trusted location, subsequently resulting in attacker's Word macros being executed with user's identity. (See Alberto's article for a detailed process.)
Among our security-adopted
Office versions, we found this vulnerability to affect not only Office
2016 and 2019 click-to-run, but also Office 2013 and Office 2010. Office 2016 and 2019 volume license received an official patch from Microsoft.
Microsoft's Patch
Microsoft patched this issue by changing Microsoft Access logic such that using remote database files now also adheres to the already-existing trust model based on Trusted Locations. Various other security decisions have previously been based on the Trusted Locations model, e.g., whether a document opened from a folder is allowed to execute macros, but now the decision to use a remote database file is also included.
Note that this change, while needed for security, has negatively affected various use cases, resulting in an "Operation is not supported" error when remote database connections were used by Office documents outside of trusted locations:
Microsoft Learn: Operation is not supported error in Access and Excel
To resolve this error, users had to either move the affected Office documents to a Trusted Location, or (not recommended) disable this enforcement using the AllowQueryRemoteTables registry value as described in this article (see section "Access Connectivity Engine (ACE)").
Here is another good article on resolving this error.
Our Patch
Our patch is logically identical to Microsoft's. This means that - just like with Microsoft's patch - it can break some existing use cases that involve external database references. Should this happen, we recommend the following course of action:
- Try adding the Office document that produces the error to a Trusted Location (see here for Office 2013, here for Office 2016 and higher), either by moving the document to one of existing trusted locations, or adding a new trusted location where the document resides. In the latter case, be careful not to trust a location where an attacker could potentially place their own malicious Office documents.
- If the above fails, disable all relevant patches for CVE-2025-62552 - in PRO accounts, disable patches in 0patch Console locally on the affected computer; in Enterprise accounts, disable patches in 0patch Central for groups containing affected computers.
Let's
see our patch in action on a fully updated Office 2019 click-to-run, which we have security-adopted last October when it received its last official security patches. The user opens a malicious clickme.docx document
while 0patch is disabled and agrees to have Word use an embedded SQL query and run mail merge operation (both of which should not be considered dangerous per se), which leads to an error message about "unreadable content" -- at that time, a malicious file has already been created in an Office-trusted location. With 0patch enabled, the same process produces no file in the Office-trusted location.
Micropatch Availability
Micropatches were written for the following 32-bit and 64-bit security-adopted Microsoft Office versions:
- Microsoft Office 2019 click-to-run - updated with all available updates (version 2508, build 19127.20302)
- Microsoft Office 2016 click-to-run - updated with all available updates (version 2508, build 19127.20302)
- Microsoft Office 2013 - updated with all available updates
- Microsoft Office 2010 - updated with all available updates
Office 2016 and 2019 volume license received an official patch from Microsoft.
Micropatches have already been distributed to, and applied on, all
affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).
Vulnerabilities like these get discovered on a regular basis, and
attackers know about them all. If you're using Windows that aren't
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won't be exploited on your computers - and you won't
even have to know or care about these things.
We'd like to thank Alberto Bruscino for sharing vulnerability details and POC, which allowed us to create a patch for this issue and protect our users.
If you're new to 0patch, create a free account
in 0patch Central,
start a free trial, then install and register 0patch Agent. Everything
else will happen automatically. No computer reboot will be needed.
Did
you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of
support in October 2025, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here.
To learn more about 0patch, please visit our Help Center.
