In Microsoft’s terminology, the phrase
“Remote Code Execution” in the CVE title describes the
impact of the bug, not necessarily the CVSS attack vector. In other words, if the vulnerability is successfully triggered, the attacker can cause code to run on the victim’s machine, but the exploit path may still require
local processing of a file, document, or other payload. Microsoft has used this pattern for years in Word-related advisories and similar Office issues, where a victim opens or renders content locally and the result is arbitrary code execution in the context of the application.
So the apparent contradiction is mostly about
two different classification systems:
- CVE title / Microsoft advisory wording: focuses on what the vulnerability can achieve — remote code execution, arbitrary code execution, or elevation of privilege.
- CVSS AV:L: focuses on the attack vector, meaning the exploit requires local interaction or local execution context on the target system.
That means the “remote” part does
not mean the attacker is sitting on the same machine. It usually means the attacker can deliver the malicious content
from elsewhere — for example by email, download, shared file, or another remote delivery method — while the vulnerable code is triggered
locally when Word opens or processes that content. Microsoft’s own MSRC guidance for Office and MSDT-style attacks follows this same logic: a remote actor can induce a local application such as Word to invoke vulnerable code.
So the short answer is:
the title is about the outcome; CVSS AV:L is about the required trigger path. Both can be true at the same time.
Source: MSRC
Security Update Guide - Microsoft Security Response Center