Source linked

30+ CVEs in Microsoft Office Demand Immediate Patching

cert.ssi.gouv.fr@threat_watch2 hours ago·Cybersecurity·3 comments

CERT-FR warns of 31 vulnerabilities across Office 2016, 2019, LTSC, and 365, enabling remote code execution, privilege escalation, and data theft.

microsoft officecert frcve 2026 44803remote code executionprivilege escalationvulnerability advisory

31 separate CVEs landed in a single Microsoft Office security update on June 9, 2026 — and CERT-FR is telling everyone to patch right now.

Every one of those vulnerabilities can be exploited remotely. Attackers get arbitrary code execution, privilege elevation, or data confidentiality bypass. That's not a theory; that's the advisory language from the French national cybersecurity agency.

What's Actually Affected?

Microsoft 365 Apps for Enterprise (32- and 64-bit), Office 2016, Office 2019, Office LTSC 2021 and 2024 — all editions, Windows and Mac. Also Office Online Server, Excel for Android, PowerPoint for Android, Word for Android. Build numbers matter: Office 2016 versions before 16.0.5556.1001 are vulnerable. Office Online Server before 16.0.10417.20137. Check your deployment.

CERT-FR lists product lines clearly: Office 2016 32-bit and 64-bit editions prior to 16.0.5556.1001 and 16.0.5556.1005; Office 2019; Office LTSC 2021 for Mac; Office LTSC 2024 for Mac; and the Android apps. If you're running any of these without the June 2026 patch, you're exposed.

The Real Risk: Remote Code Execution Without Interaction

Most of the 31 CVEs — CVE-2026-44803 through CVE-2026-47635 — allow arbitrary code execution remotely. That means a crafted document sent via email, downloaded from a share, or opened from a web link can execute attacker-controlled code. No user interaction beyond opening the file. Privilege escalation and data confidentiality breaches are secondary, but they make the blast radius worse.

Microsoft's security bulletins (linked by CERT-FR) contain individual patch details. Every CVE gets its own URL at msrc.microsoft.com. If you're on a Windows admin team, that's your reading list for today.

The only responsible move is to apply the patches immediately. Office is one of the most targeted application suites in the enterprise — a 31-CVE drop like this is a gift to every threat actor monitoring patch Tuesday.

Source: Multiples vulnérabilités dans Microsoft Office (10 juin 2026)
Domain: cert.ssi.gouv.fr

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Three CVEs in FortiOS, FortiProxy, and FortiSandbox Enable Remote Code Execution

CERT-FR flags arbitrary code execution and data theft across FortiOS 7.2.x/7.4.x/7.6.x, FortiPortal, FortiProxy, and FortiSandbox - patch now.

FreeBSD Privilege Escalation Flaw Hits Six Version Lines at Once

CVE-2026-49413 forces patching across FreeBSD branches 14, 14.3, 14.4, 15, 15.0, and 15.1 with specific build thresholds.

Notepad++ Path Traversal Bypass Silently Executes Arbitrary Code

CVE-2026-52884 exploits a prefix-based directory check that fails to canonicalize paths, letting `C:\Windows\System32\..\..\payload.exe` run without any warning dialog.

Kernel Fuzzers Blind to Argument Values? New LLVM Instrumentation Fixes That

Edge coverage can't tell copy_from_user(ptr, 1) from copy_from_user(ptr, 1000). A new LLVM pass extracts per-task data flow at function boundaries, giving syzkaller state-aware feedback and security analysts...

Comments load interactively on the live page.