CVE-2025-49756 - Vulnerability Details - OpenCVE

Use of a broken or risky cryptographic algorithm in Office Developer Platform allows an authorized attacker to bypass a security feature locally.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Microsoft	365 365 Apps Office 365

No data.

No data.

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49756

History

Wed, 23 Jul 2025 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft Microsoft 365 Microsoft 365 Apps Microsoft office 365
Vendors & Products		Microsoft Microsoft 365 Microsoft 365 Apps Microsoft office 365

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00014}`	epss `{'score': 0.0001}`

Mon, 14 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00023}`	epss `{'score': 0.00014}`

Wed, 09 Jul 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 08 Jul 2025 17:15:00 +0000

Type	Values Removed	Values Added
Description		Use of a broken or risky cryptographic algorithm in Office Developer Platform allows an authorized attacker to bypass a security feature locally.
Title		Office Developer Platform Security Feature Bypass Vulnerability
Weaknesses		CWE-327
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49756
Metrics		cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}`

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2025-07-08T16:57:27.411Z

Updated: 2025-08-23T00:39:47.308Z

Reserved: 2025-06-09T22:49:37.620Z

Link: CVE-2025-49756

Vulnrichment

Updated: 2025-07-09T13:55:38.838Z

NVD

Status : Awaiting Analysis

Published: 2025-07-08T17:16:04.020

Modified: 2025-07-10T13:18:53.830

Link: CVE-2025-49756

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-49756", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-06-09T22:49:37.620Z", "datePublished": "2025-07-08T16:57:27.411Z", "dateUpdated": "2025-08-23T00:39:47.308Z"}, "containers": {"cna": {"title": "Office Developer Platform Security Feature Bypass Vulnerability", "datePublic": "2025-07-08T07:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "16.0.1", "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft 365 Apps for Enterprise", "platforms": ["32-bit Systems", "x64-based Systems"], "versions": [{"version": "16.0.1", "lessThan": "https://aka.ms/OfficeSecurityReleases", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Use of a broken or risky cryptographic algorithm in Office Developer Platform allows an authorized attacker to bypass a security feature locally.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", "lang": "en-US", "type": "CWE", "cweId": "CWE-327"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2025-08-23T00:39:47.308Z"}, "references": [{"name": "Office Developer Platform Security Feature Bypass Vulnerability", "tags": ["vendor-advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49756"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "LOW", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-09T13:55:35.895163Z", "id": "CVE-2025-49756", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-09T13:55:41.737Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-49756", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-09T13:55:35.895163Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-09T13:55:38.838Z"}}], "cna": {"title": "Office Developer Platform Security Feature Bypass Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft 365 Apps for Enterprise", "versions": [{"status": "affected", "version": "16.0.1", "lessThan": "https://aka.ms/OfficeSecurityReleases", "versionType": "custom"}], "platforms": ["32-bit Systems", "x64-based Systems"]}], "datePublic": "2025-07-08T07:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49756", "name": "Office Developer Platform Security Feature Bypass Vulnerability", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": "Use of a broken or risky cryptographic algorithm in Office Developer Platform allows an authorized attacker to bypass a security feature locally."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-327", "description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "versionEndExcluding": "https://aka.ms/OfficeSecurityReleases", "versionStartIncluding": "16.0.1"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2025-08-18T17:50:51.771Z"}}}, "cveMetadata": {"cveId": "CVE-2025-49756", "state": "PUBLISHED", "dateUpdated": "2025-08-18T17:50:51.771Z", "dateReserved": "2025-06-09T22:49:37.620Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2025-07-08T16:57:27.411Z", "assignerShortName": "microsoft"}, "dataVersion": "5.1"}