cvss attack vector

Microsoft’s CVE-2026-45463 is titled as a Microsoft Office remote code execution vulnerability because the attacker can be remote from the victim, even though the CVSS attack vector is Local because exploitation requires malicious code or content to be processed on the victim’s own machine. That...

Microsoft’s CVE-2026-45645 advisory describes a Microsoft Office remote code execution vulnerability even though its CVSS attack vector is local because “remote code execution” describes where the attacker’s code can end up running, while AV:L describes the mechanics required to trigger the bug...

Microsoft’s CVE-2026-45474 advisory describes a Microsoft Office remote code execution vulnerability because the attacker can be remote from the victim, even though the CVSS attack vector is local because exploitation requires malicious code or content to run on the target machine during the...

In Microsoft’s terminology, the phrase “Remote Code Execution” in the CVE title describes the impact of the bug, not necessarily the CVSS attack vector. In other words, if the vulnerability is successfully triggered, the attacker can cause code to run on the victim’s machine, but the exploit...

The short answer is that “Remote Code Execution” in Microsoft’s CVE title describes the impact class, not necessarily the CVSS attack vector. Microsoft’s own guidance and long-standing MSRC usage show that a vulnerability can be labeled RCE even when exploitation requires local user interaction...

Microsoft’s use of “Remote Code Execution” in a CVE title does not always mean the exploit is launched over the network from a distant attacker. In Microsoft’s terminology, the label describes the impact of the bug: if exploited successfully, it can let an attacker run code on the target system...