Remote Code Execution vs CVSS AV:L: CVE Impact and Attack Vector Explained

In Microsoft’s terminology, the phrase “Remote Code Execution” in the CVE title describes the impact of the bug, not necessarily the CVSS attack vector. In other words, if the vulnerability is successfully triggered, the attacker can cause code to run on the victim’s machine, but the exploit path may still require local processing of a file, document, or other payload. Microsoft has used this pattern for years in Word-related advisories and similar Office issues, where a victim opens or renders content locally and the result is arbitrary code execution in the context of the application.
So the apparent contradiction is mostly about two different classification systems:

• CVE title / Microsoft advisory wording: focuses on what the vulnerability can achieve — remote code execution, arbitrary code execution, or elevation of privilege.
• CVSS AV:L: focuses on the attack vector, meaning the exploit requires local interaction or local execution context on the target system.

That means the “remote” part does not mean the attacker is sitting on the same machine. It usually means the attacker can deliver the malicious content from elsewhere — for example by email, download, shared file, or another remote delivery method — while the vulnerable code is triggered locally when Word opens or processes that content. Microsoft’s own MSRC guidance for Office and MSDT-style attacks follows this same logic: a remote actor can induce a local application such as Word to invoke vulnerable code.
So the short answer is: the title is about the outcome; CVSS AV:L is about the required trigger path. Both can be true at the same time.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center