RCE vs AV:L: Understanding CVE-2025-59226 Exploitation Path

Microsoft’s labeling of CVE-2025-59226 as a “Remote Code Execution” issue while its CVSS Attack Vector is listed as AV:L (Local) is not an error — it’s a product of two different conventions answering two different questions: what the bug allows an attacker to accomplish, and how the attacker must get the bug to trigger. Security vendors and advisories use “Remote Code Execution (RCE)” as a high‑level impact class to signal that successful exploitation results in arbitrary code running on the victim machine, whereas the CVSS Attack Vector field records the precise technical path required to exploit the vulnerability, and in document‑parsing cases that often ends up as Local even when the malicious file was delivered across a network.

Background / Overview​

The shorthand phrase Remote Code Execution is widely understood by IT teams and security operators as a red flag: if an attacker can make your endpoint run arbitrary code, the implications are severe — data theft, lateral movement, persistence, ransomware, and full enterprise compromise. Vendors therefore put RCE in advisory titles to communicate impact urgency. But CVSS (the Common Vulnerability Scoring System) is answering a different, narrower question: what level of network/physical proximity does an attacker need at the point where the vulnerable component is actually exercised? CVSS Attack Vector values (Network, Adjacent, Local, Physical) reflect the exploitable component’s exposure, not the entire delivery chain. When an exploit requires a user to open a malicious file in a local application (for example, Visio parsing a malformed .vsdx), CVSS guidance says AV:L is the correct classification even if that file was emailed or downloaded over the Internet.
This distinction — impact vs. exploitation path — is central to understanding many Office/Visio advisories where titles emphasize RCE but the CVSS vector reads AV:L. The title describes the end result; the CVSS vector describes the exploit’s execution context. Treat the title as urgency shorthand and the CVSS vector (plus the advisory narrative) as the operational recipe defenders should follow.

---

Why the apparent contradiction exists: mechanics and semantics​

Two separate signals: impact and attack surface​

Advisory titles answer: what can the attacker achieve? — e.g., run arbitrary code on the target machine (RCE). CVSS Attack Vector answers: how remote can the attacker be when they exploit the flaw? — AV:L means the vulnerable component is not directly reachable over a protocol: someone (or something) on the victim’s machine must parse the crafted input. These two statements are complementary, not contradictory.

The document‑parsing pattern​

Most Office/Visio RCEs follow a recurring pattern:

• An attacker crafts a malicious document (Visio file in this case) containing malformed fields that exploit a memory-safety bug or logic flaw in the parser.
• The attacker delivers that document remotely (email attachment, cloud share, web download).
• A local application (Visio) on the victim’s machine opens or parses the file. The actual vulnerability triggers in the local process and executes attacker-controlled code under the user’s privileges.

Because the parsing happens inside a local process (not in a network daemon), CVSS records the attack vector as Local even though the initial delivery over the Internet enabled the attack.

Why vendors say “Remote Code Execution”​

Vendors use “Remote Code Execution” as a human‑facing classification for impact. The term emphasizes the end-state — that code can run on a victim machine and potentially be controlled by an off‑host actor. It’s a communication choice designed to get administrators’ attention quickly, while the advisory body contains the granular details (CVSS vector, UI requirements, affected builds, KB numbers). This succinct labeling convention is intentional and widely used in industry advisories.

---

Technical unpacking: CVSS, AV:L, and user interaction​

What AV:L actually means in CVSS v3.x​

AV:L (Local) reflects that the attack requires the attacker (or an agent controlled by the attacker) to have some level of local access to the target host, or that the vulnerable component is not tied to a network-facing interface. CVSS distinguishes this from AV:N (Network), which denotes direct exploitability over network protocols without local file execution. The CVSS user guide explicitly notes that when a document is downloaded over the network but a local application parses it, AV:L is appropriate to avoid conflating delivery with exploitation.

User interaction and Protected View​

Many Office-based RCEs also include UI:R (User Interaction Required) in their CVSS vector. This reflects the need for a user to open the document (or sometimes to preview it) to trigger the vulnerability. Protected View, Outlook preview panes, and Explorer preview handlers can alter the risk calculus: if a preview handler parses the file automatically, the attack may become easier because users might be compromised without an explicit “Open” action. Consult the advisory narrative to confirm whether preview handlers are implicated — if they are, the effective attack surface widens and defenders should treat the issue with greater urgency.

---

Real‑world implications for defenders and administrators​

Why this distinction matters for triage​

• If a vulnerability is RCE with AV:N, attackers can target network‑facing services at scale; prioritize immediate perimeter controls and rapid patching.
• If an RCE is labeled AV:L, the immediate operational focus shifts toward reducing user interaction risk and hardening endpoints (e.g., disabling previews, enforcing Protected View, mail filtering, application allowlisting). Misinterpreting the CVE title alone can lead to misprioritization.

Preview handlers and server-side rendering — escalation points​

One nuance: if a server-side component (mail gateway, collaboration platform, thumbnail generation service) parses Visio files on behalf of clients, the vulnerability could effectively become network-exploitable because that server will be doing the parsing. In such deployments, the attack vector for the vulnerable component changes and the CVSS vector should reflect the component being exploited, not the upstream delivery mechanism. Many enterprise advisories explicitly call out this scenario as a reason to check server-side rendering and scanning infrastructure.

Practical consequences​

A typical worst-case scenario for an AV:L Visio RCE:

• Attacker emails a malicious .vsdx to a user.
• User opens or previews the file in Visio or via Outlook preview.
• The Visio process executes attacker payload with the user’s privileges.
• Attacker performs credential theft, spawns additional payloads, or persists in the environment.

Enterprise spreads can be rapid because the same malicious file can be sent to many recipients. For this reason, even AV:L RCEs are high-priority patches in many organizations.

---

Step‑by‑step hardening and incident response checklist​

• Inventory: Identify all hosts with Microsoft Visio installed and capture build/channel (Microsoft 365 Apps Click‑to‑Run, Office LTSC, standalone Visio). Confirm whether server components perform Visio rendering.
• Patch: Obtain the Microsoft KB/update that corresponds to the CVE and schedule immediate deployment, prioritizing high‑risk groups (admins, engineering workstations). Use WSUS/Intune/SCCM to verify installation.
• Short‑term mitigations if patching is delayed:
• Disable Visio file previews in File Explorer and the Outlook preview pane.
• Enforce Protected View for files from the Internet and block automatic enabling of active content.
• Apply application control (whitelisting) and least privilege principles.
• Mail gateway controls: Block or quarantine unsolicited .vsd/.vsdx attachments and use detonation/sandboxing for suspicious files.
• Detection rules: Add EDR rules to alert when Visio spawns uncommon child processes (PowerShell, cmd), or when new executables are written to temp directories immediately after Visio starts.
• IR playbook: Isolate impacted hosts, capture volatile memory, and preserve Visio artifacts for forensic analysis. Monitor for lateral movement indicators and exfil channels.
• Short mitigation benefits:
• Reduces chance of silent compromise via preview handlers.
• Buys time for thorough patching across large estates.
• Lowers impact by limiting user privileges and execution contexts.

---

Detection and tuning guidance for SOCs​

• High‑value telemetry: look for Visio.exe launching powershell.exe, cmd.exe, or wscript/cscript shortly after file open; new DLL loads from user temp; unexpected network egress after Visio processes spawn.
• Correlate mail gateway logs with EDR events — multiple recipients of the same suspicious Visio attachment and simultaneous Visio process events are strong indicators of a campaign.
• Tune alerts to avoid false positives from legitimate automation but raise severity when privileged users open externally received Visio files.

---

Historical context: this is a well‑trodden pattern​

Office document RCEs have repeatedly followed the same labeling and CVSS pattern: advisories declare Remote Code Execution to indicate impact, while CVSS correctly records the attack vector as Local when user interaction or local parsing is required. This has been the convention in many MSRC advisories and community write‑ups dating back years because the semantics of “remote” in RCE refer to the location of the attacker or the class of impact rather than the precise local vs. network technicality of the exploit. Treating the title as impact shorthand and the CVSS vector as the operational recipe is a mature answer to what otherwise appears as a contradiction.

---

Strengths, limitations, and verification notes​

Strengths of current industry practice​

• Advisory titles that prioritize impact (RCE) help administrators triage quickly.
• CVSS vectors provide a consistent, machine-readable way to classify how the vulnerability is exploited.
• The combination allows both rapid urgency signaling and precise operational guidance — when read together, they enable sensible remedial action.

Limitations and potential for misunderstanding​

• Administrators who only read the CVE title and ignore the CVSS/vector fields may either over- or under-prioritize remediation.
• Automated ingestion systems that map CVE titles to action policies without parsing vector or vendor text can misclassify risk.
• Server-side rendering or preview handlers can change the effective attack surface, turning an AV:L vulnerability into a remotely exploitable condition if unaccounted for in the environment. Organizations must inspect where parsing happens, not only where documents are delivered.

Verification and cautionary flags​

• Vendor advisory details (CVSS string, affected builds, KB numbers, preview handler impact) are authoritative and should be consulted directly via Microsoft’s Security Update Guide or the Update Catalog. Community analyses and aggregated trackers are valuable for operational context but may lag on per-product KB mapping or exact CVSS strings. Administrators should treat any uncorroborated numeric scores or exploit status as provisional until vendor metadata or trusted third‑party databases confirm them.

---

How to read an MSRC advisory for this class of CVE (practical checklist)​

• Read the CVE title to understand the impact class (e.g., Remote Code Execution).
• Read the CVSS vector string (AV/AC/PR/UI) to know the exploit prerequisites and attack surface.
• Read the advisory narrative for delivery mechanisms, whether preview handlers are implicated, and whether user interaction is required.
• Map product builds and KB articles to your inventory and schedule patches via enterprise update channels.
• Cross‑check with reputable vendor advisories and EDR vendor guidance for detection and temporary mitigations if patching is staged.

---

Conclusion​

The label “Remote Code Execution” on the CVE-2025-59226 advisory communicates a critical impact outcome — an attacker can make code run on a victim machine — while the CVSS Attack Vector AV:L describes that the exploitation step occurs locally inside a parsing process (Visio) and therefore requires the attacker to get the victim to open or trigger a malicious file. Both statements are correct: they answer different operational questions. Administrators should treat the title as a red‑flag for severity and the CVSS vector and advisory narrative as the playbook for remediation and detection. Immediate action should focus on patching, disabling risky previews, enforcing Protected View, tightening mail gateway and DLP rules for Visio attachments, and tuning EDR to detect post‑exploit behaviors until the KB is fully deployed across the estate.
If the environment performs any server‑side Visio rendering or automatic previewing, treat that infrastructure as part of the vulnerable attack surface and escalate the remediation timeline accordingly — what looks local at the endpoint can become network‑accessible when parsing is offloaded to shared services.
Above all, read the advisory details, map KBs to your inventory, and apply patches promptly: the combination of wide distribution vectors (email, cloud shares) and simple social engineering means document‑based RCEs scale quickly once weaponized.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center