Microsoft’s CVE-2026-45645 advisory describes a Microsoft Office remote code execution vulnerability even though its CVSS attack vector is local because “remote code execution” describes where the attacker’s code can end up running, while AV:L describes the mechanics required to trigger the bug on the victim’s machine. In plain English: the attacker may be remote from the target, but the vulnerable action happens locally when Office processes a malicious file or content. That distinction is not pedantry; it is the difference between a wormable network service bug and the document-based attack model that has defined Office exploitation for decades.
The confusion starts with a reasonable assumption: if a vulnerability is called remote code execution, surely the CVSS vector should say the attack is remote too. But vulnerability titles and CVSS metrics are not trying to answer the same question.
A title like “Microsoft Office Remote Code Execution Vulnerability” is an impact label. It tells defenders that successful exploitation may allow attacker-controlled code to run in the context of the affected application or user. The CVSS attack vector, by contrast, describes the route the exploit must take to reach the vulnerable component.
For CVE-2026-45645, Microsoft’s own explanation says the “Remote” in the title refers to the location of the attacker, while the attack itself is carried out locally. That usually means a malicious Office document, template, add-in, embedded object, or similar content has to be opened or processed on the local machine.
That is why the same advisory can say remote code execution and still carry AV:L. The attacker does not need to sit at the keyboard, but the vulnerable code path is not exposed as a network listener that can be exploited directly across the wire.
That looser usage is especially common in client-side software. Office, browsers, PDF readers, media players, archive tools, and image libraries frequently receive RCE classifications when a crafted file can trigger memory corruption or unsafe behavior during parsing. The attacker may be across the internet, but the exploit starts when the victim’s application touches the content.
This is why the older phrase arbitrary code execution is sometimes clearer. ACE focuses on the outcome: attacker-chosen code runs. RCE adds a threat-model hint: the attacker does not already need local hands-on-keyboard access. Neither phrase, by itself, tells you whether the exploit is network-reachable, clickless, preview-triggered, or dependent on user interaction.
That missing detail is what CVSS is supposed to supply.
For Office vulnerabilities, that is often the whole game. The attacker sends a document, hosts it on a share, embeds it in a workflow, or delivers it through email, chat, cloud storage, or a compromised business process. The exploit is not launched by poking TCP port 445 or 443 from the outside. It is launched when Word, Excel, PowerPoint, Outlook, or another Office component parses the attacker’s content locally.
That distinction matters operationally. AV:L generally implies different exposure than AV:N. A network-vector RCE may be exploitable at scale against reachable systems without a user doing much of anything. A local-vector Office RCE often depends on delivery, persuasion, preview behavior, file association, or some other path that gets the malicious content processed by the target application.
But “different” does not mean “low risk.” Office is built for receiving untrusted documents from the outside world. A vulnerability that depends on a local Office process can still be remote in the attacker’s campaign model because the attacker can stand far away and wait for normal business behavior to do the triggering.
That is why Microsoft Office RCE advisories often look strange beside server vulnerabilities. A SharePoint or Exchange pre-authentication RCE naturally invites questions about exposed endpoints and perimeter scanning. An Office RCE invites different questions: who can receive external files, which file types are blocked, whether Protected View applies, whether preview handlers are involved, and how quickly endpoints can receive the Office update.
The practical attacker workflow is also different. A server-side RCE can be automated against a fleet of IP addresses. A document-based RCE is more likely to appear in phishing, targeted intrusion, malicious attachments, drive-by downloads, poisoned document repositories, or business email compromise chains.
That is why CVE-2026-45645’s wording is best read as a warning about consequence, not a promise about exploit transport. The vulnerability may let code run. The code runs because something on the local system processes the malicious input.
The title says: if exploited, this is a code execution problem in Microsoft Office with a remote attacker in the threat model.
The CVSS vector says: the vulnerable operation is reached through local execution or local processing on the victim machine.
Both can be true. In fact, both are common for client-side vulnerabilities. A malicious document can be created by someone on another continent, delivered through a cloud link, and opened by a user in a corporate network. The attacker is remote, but the exploit path is local.
The confusion gets worse because “remote” sounds like a network property. In ordinary IT language, remote access means connecting over the network. In vulnerability naming, remote code execution is often an impact class that says the attacker need not already be locally present to influence code execution.
That is not ideal terminology, but it is deeply embedded in security advisories, scanners, dashboards, and patch management systems.
If CVE-2026-45645 requires a user to open a malicious file, the defensive center of gravity shifts toward endpoint patching, attachment handling, Office hardening, and user-facing content controls. If preview panes, protected mode bypasses, or automatic processing are involved, the risk calculus changes. If exploitation only runs with the current user’s privileges, privilege management and least-privilege practices matter more. If the bug can escape sandboxes or chain with privilege escalation, the urgency rises again.
That is the broader lesson: CVSS is a compressed model, not a substitute for scenario analysis. AV:L is one field. It should not be read in isolation from user interaction, privileges required, attack complexity, scope, confidentiality, integrity, and availability impact.
In Office environments, a local attack vector can still produce enterprise-scale trouble because the delivery path is so well established. Documents are supposed to cross trust boundaries. That is Office’s business value and its enduring security problem.
For patch teams, that means the update belongs in the normal high-priority Office security cycle, especially for users who routinely handle external files. Legal, finance, HR, procurement, sales, executive support, engineering, and help-desk teams often sit directly in the blast radius of malicious document campaigns.
For security operations teams, detections should focus on suspicious Office child processes, unexpected script or shell launches, abnormal document-origin patterns, and known phishing delivery routes. The vulnerability title tells you to care about execution. The vector tells you where to look for the trigger.
For risk owners, the phrase “remote code execution” should still carry weight. The fact that exploitation is locally triggered does not make it harmless. It means the attacker’s path runs through human and application workflows rather than a directly exposed network service.
That convention is not unique to Microsoft. Security vendors, vulnerability databases, and patch bulletins routinely use RCE for malicious-file vulnerabilities. The phrase has become a severity shorthand as much as a technical description.
The trouble is that shorthand travels badly into dashboards. A CISO sees “remote code execution” and asks why the vector says local. A sysadmin sees AV:L and wonders whether the patch can wait. A vulnerability manager sees both and has to explain that neither field is wrong; they are describing different dimensions.
That explanation is worth making because it prevents bad decisions in both directions. Overstating the network reach can lead to panic and noisy prioritization. Understating the remote attacker model can leave document-heavy users exposed.
That interpretation leads to concrete action rather than semantic debate.
Microsoft’s Wording Sounds Contradictory Because Two Taxonomies Are Colliding
The confusion starts with a reasonable assumption: if a vulnerability is called remote code execution, surely the CVSS vector should say the attack is remote too. But vulnerability titles and CVSS metrics are not trying to answer the same question.A title like “Microsoft Office Remote Code Execution Vulnerability” is an impact label. It tells defenders that successful exploitation may allow attacker-controlled code to run in the context of the affected application or user. The CVSS attack vector, by contrast, describes the route the exploit must take to reach the vulnerable component.
For CVE-2026-45645, Microsoft’s own explanation says the “Remote” in the title refers to the location of the attacker, while the attack itself is carried out locally. That usually means a malicious Office document, template, add-in, embedded object, or similar content has to be opened or processed on the local machine.
That is why the same advisory can say remote code execution and still carry AV:L. The attacker does not need to sit at the keyboard, but the vulnerable code path is not exposed as a network listener that can be exploited directly across the wire.
“Remote” Has Always Done Too Much Work in Security Language
Security teams use “remote code execution” as a term of art, but it has never been as precise as people want it to be. In everyday patching language, RCE often means “an attacker can get their code to run on your system.” It does not always mean “an attacker can send packets directly to a listening service and immediately take over the machine.”That looser usage is especially common in client-side software. Office, browsers, PDF readers, media players, archive tools, and image libraries frequently receive RCE classifications when a crafted file can trigger memory corruption or unsafe behavior during parsing. The attacker may be across the internet, but the exploit starts when the victim’s application touches the content.
This is why the older phrase arbitrary code execution is sometimes clearer. ACE focuses on the outcome: attacker-chosen code runs. RCE adds a threat-model hint: the attacker does not already need local hands-on-keyboard access. Neither phrase, by itself, tells you whether the exploit is network-reachable, clickless, preview-triggered, or dependent on user interaction.
That missing detail is what CVSS is supposed to supply.
AV:L Is Not a Comfort Blanket
The “local” attack vector is easy to underestimate. In CVSS, local does not necessarily mean the attacker already has an account on the machine or physical access to it. It can also cover scenarios where exploitation depends on a local user opening a malicious file, loading crafted content, or otherwise causing vulnerable code to execute on the endpoint.For Office vulnerabilities, that is often the whole game. The attacker sends a document, hosts it on a share, embeds it in a workflow, or delivers it through email, chat, cloud storage, or a compromised business process. The exploit is not launched by poking TCP port 445 or 443 from the outside. It is launched when Word, Excel, PowerPoint, Outlook, or another Office component parses the attacker’s content locally.
That distinction matters operationally. AV:L generally implies different exposure than AV:N. A network-vector RCE may be exploitable at scale against reachable systems without a user doing much of anything. A local-vector Office RCE often depends on delivery, persuasion, preview behavior, file association, or some other path that gets the malicious content processed by the target application.
But “different” does not mean “low risk.” Office is built for receiving untrusted documents from the outside world. A vulnerability that depends on a local Office process can still be remote in the attacker’s campaign model because the attacker can stand far away and wait for normal business behavior to do the triggering.
The Office Threat Model Lives in the Inbox, Not on an Open Port
The modern Office attack surface is not just the desktop application. It is the document supply chain around it: email attachments, Teams chats, SharePoint libraries, OneDrive links, downloaded templates, macros, embedded media, add-ins, and compatibility layers that still need to understand decades of file formats.That is why Microsoft Office RCE advisories often look strange beside server vulnerabilities. A SharePoint or Exchange pre-authentication RCE naturally invites questions about exposed endpoints and perimeter scanning. An Office RCE invites different questions: who can receive external files, which file types are blocked, whether Protected View applies, whether preview handlers are involved, and how quickly endpoints can receive the Office update.
The practical attacker workflow is also different. A server-side RCE can be automated against a fleet of IP addresses. A document-based RCE is more likely to appear in phishing, targeted intrusion, malicious attachments, drive-by downloads, poisoned document repositories, or business email compromise chains.
That is why CVE-2026-45645’s wording is best read as a warning about consequence, not a promise about exploit transport. The vulnerability may let code run. The code runs because something on the local system processes the malicious input.
The Title Tells You Impact; The Vector Tells You the First Move
The cleanest way to resolve the apparent contradiction is to split the advisory into two sentences.The title says: if exploited, this is a code execution problem in Microsoft Office with a remote attacker in the threat model.
The CVSS vector says: the vulnerable operation is reached through local execution or local processing on the victim machine.
Both can be true. In fact, both are common for client-side vulnerabilities. A malicious document can be created by someone on another continent, delivered through a cloud link, and opened by a user in a corporate network. The attacker is remote, but the exploit path is local.
The confusion gets worse because “remote” sounds like a network property. In ordinary IT language, remote access means connecting over the network. In vulnerability naming, remote code execution is often an impact class that says the attacker need not already be locally present to influence code execution.
That is not ideal terminology, but it is deeply embedded in security advisories, scanners, dashboards, and patch management systems.
For Administrators, the Real Question Is Not the Adjective
For Windows administrators, the important question is not whether the label feels semantically pure. The important question is what conditions are required for exploitation and what controls reduce the chance that those conditions occur.If CVE-2026-45645 requires a user to open a malicious file, the defensive center of gravity shifts toward endpoint patching, attachment handling, Office hardening, and user-facing content controls. If preview panes, protected mode bypasses, or automatic processing are involved, the risk calculus changes. If exploitation only runs with the current user’s privileges, privilege management and least-privilege practices matter more. If the bug can escape sandboxes or chain with privilege escalation, the urgency rises again.
That is the broader lesson: CVSS is a compressed model, not a substitute for scenario analysis. AV:L is one field. It should not be read in isolation from user interaction, privileges required, attack complexity, scope, confidentiality, integrity, and availability impact.
In Office environments, a local attack vector can still produce enterprise-scale trouble because the delivery path is so well established. Documents are supposed to cross trust boundaries. That is Office’s business value and its enduring security problem.
Patch Triage Should Treat This as Client-Side RCE, Not Network RCE
The right mental bucket for CVE-2026-45645 is client-side Office code execution. That framing avoids both extremes. It does not inflate the issue into a wormable network vulnerability if the vector does not support that reading. It also does not minimize the issue as “local only” in the misleading sense of requiring an insider at the keyboard.For patch teams, that means the update belongs in the normal high-priority Office security cycle, especially for users who routinely handle external files. Legal, finance, HR, procurement, sales, executive support, engineering, and help-desk teams often sit directly in the blast radius of malicious document campaigns.
For security operations teams, detections should focus on suspicious Office child processes, unexpected script or shell launches, abnormal document-origin patterns, and known phishing delivery routes. The vulnerability title tells you to care about execution. The vector tells you where to look for the trigger.
For risk owners, the phrase “remote code execution” should still carry weight. The fact that exploitation is locally triggered does not make it harmless. It means the attacker’s path runs through human and application workflows rather than a directly exposed network service.
Microsoft’s Naming Habit Is Imperfect, but the Distinction Is Useful
Microsoft could reduce confusion by using more explicit titles for client-side bugs, such as “Microsoft Office Arbitrary Code Execution Vulnerability” or “Microsoft Office Document Parsing Code Execution Vulnerability.” Those labels would better separate consequence from exploit path. But the industry has standardized around RCE as the headline term for “attacker-controlled code can run,” even when the actual trigger is a local parse operation.That convention is not unique to Microsoft. Security vendors, vulnerability databases, and patch bulletins routinely use RCE for malicious-file vulnerabilities. The phrase has become a severity shorthand as much as a technical description.
The trouble is that shorthand travels badly into dashboards. A CISO sees “remote code execution” and asks why the vector says local. A sysadmin sees AV:L and wonders whether the patch can wait. A vulnerability manager sees both and has to explain that neither field is wrong; they are describing different dimensions.
That explanation is worth making because it prevents bad decisions in both directions. Overstating the network reach can lead to panic and noisy prioritization. Understating the remote attacker model can leave document-heavy users exposed.
The Practical Reading for CVE-2026-45645 Is Narrow but Serious
The most useful interpretation is this: CVE-2026-45645 is not described as a direct network attack, but it is still a remote-attacker code execution risk if malicious content reaches a victim and is processed locally by Microsoft Office.That interpretation leads to concrete action rather than semantic debate.
- Administrators should patch affected Office installations promptly, especially on systems used to open external documents.
- Security teams should treat AV:L as a statement about the exploit trigger, not proof that the attacker needs physical or authenticated local access.
- Users should be more cautious with unsolicited Office files, even when the vulnerability headline already says “remote.”
- Endpoint controls should watch for Office spawning unexpected processes or loading suspicious content from internet-origin files.
- Risk scoring should distinguish this from a network-vector RCE, but it should not downgrade it into a minor local-only issue.
References
- Primary source: MSRC
Published: 2026-06-09T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: threats.kaspersky.com
Kaspersky Threats — KLA86587
threats.kaspersky.com
- Related coverage: bleepingcomputer.com
- Related coverage: rapid7.com
Rapid7
Rapid7's VulnDB is curated repository of vetted computer software exploits and exploitable vulnerabilities.www.rapid7.com
