Remote Delivery, Local Execution: Decoding AV L and RCE in Office CVEs

  • Thread Author
The short answer is: the word Remote in the CVE title describes the attacker’s position and the delivery path, while the CVSS Attack Vector AV:L describes where the exploit actually executes — on the victim’s local machine — and the two are complementary, not contradictory.

Background / Overview​

Microsoft’s Security Update Guide and many vendor advisories often label Office flaws as Remote Code Execution (RCE) because the attacker can initiate the attack from a remote location — for example, by emailing or hosting a malicious Office document — and thereby achieve code execution on the target system if the user opens or previews that document. At the same time, the Common Vulnerability Scoring System (CVSS) uses the Attack Vector (AV) metric to record how the vulnerable component is directly triggered. When that trigger requires a local action (opening a file, previewing an email attachment, or otherwise causing the local application to parse a crafted input), CVSS correctly assigns AV:L (Local) even though the malicious file may have been delivered remotely. This is the classic “remote delivery, local execution” model that explains the apparent mismatch between advisory headlines and CVSS vectors.
Understanding this distinction is essential for accurate triage, effective mitigations, and clear communication between security teams and administrators. The CVE title signals impact and attack origin, while CVSS communicates exploit mechanics and exploitability constraints.

Why vendors call some Office flaws “Remote Code Execution” even when CVSS shows AV:L​

Two different questions, two different answers​

  • CVE/advisory titles answer: What can an attacker achieve? — If exploited, will arbitrary code run on the victim machine? If yes, many advisories mark it as RCE.
  • CVSS Attack Vector answers: How is the vulnerable component exploited? — Does the exploit require network protocol-level access, adjacency, local access, or physical access?
Saying “Remote Code Execution” tells a busy sysadmin: an external attacker can cause your endpoint to run arbitrary code — important triage information. Saying AV:L tells an analyst: the exploit requires a local parsing/execution event — typically user interaction or a local process parsing remote input. Both statements are correct and address different operational concerns.

The precise CVSS logic​

CVSS intentionally records the moment the vulnerable component is invoked. If the vulnerable codepath is reached only when an Office process parses a file stored on the local filesystem (even if the file arrived via the network), CVSS treats that as Local (AV:L). This prevents double-counting the network delivery and keeps scoring consistent across many exploitation models. The CVSS user guidance explicitly calls out document-parsing scenarios (email attachments, downloads) as AV:L if the vulnerable component itself is not network‑bound.

Technical anatomy: how a remote delivery becomes a local execution RCE​

Typical exploitation chain (document-based Office RCE)​

  • Attacker crafts a malicious Office document (Word, Excel, PowerPoint) that triggers a memory corruption or parsing bug.
  • Attacker delivers the document remotely — email attachment, shared link, cloud share, or public download.
  • Victim opens the document (or in some setups, simply previews it), and the local Office process parses the malicious stream.
  • The parse triggers memory corruption (use‑after‑free, heap overflow, out‑of‑bounds read/write) and attacker-controlled data is used to redirect execution to payload code.
  • Payload runs under the user’s account or the application’s privileges, enabling credential theft, lateral movement, or ransomware.
This is why advisories call these RCEs — the attacker is remote and can cause code to run on the victim — but CVSS records AV:L because the final trigger is a local parsing/execution event.

Two important nuances that change the exposure​

  • Preview handlers and automatic rendering: If a mail client or server renders the document (for preview) using the same vulnerable parser, the exploit may be executed server-side or without explicit user action — in that case the attack vector can be network (AV:N) and severity rises accordingly. Administrators should check whether their mail servers, content-management systems, or collaboration platforms perform server-side rendering with Office components.
  • User privileges: The payload runs with the privileges of the process that parses the file. If that process runs under an admin or elevated account, the blast radius is much larger. Least-privilege practice reduces post‑exploit impact.

Operational implications: triage, prioritization and mitigation​

Why the distinction matters for defenders​

  • If an RCE CVE is AV:N (network), emergent perimeter controls and urgent exposure reduction take priority because remote, unauthenticated attackers could reach the vulnerable component across networks without user action.
  • If an RCE CVE is AV:L, defenders must shift attention to endpoint and user‑interaction mitigations: disabling preview panes, enforcing Protected View, sandboxing attachments, applying Attack Surface Reduction (ASR) rules, and targeted patching across client workloads. Misreading AV:L as “low risk” is dangerous — document-based AV:L RCEs have high operational impact because attackers can reliably deliver malicious files en masse.

Prioritized mitigation checklist​

  • Patch immediately: apply the vendor update mapping for the CVE using your management channel (WSUS, Intune, MECM, or the Microsoft Update Catalog). Vendor patches are the definitive fix.
  • Enforce Protected View for files from the Internet and email. This sandboxing measure blocks many document-based exploit chains.
  • Disable or restrict automatic preview in mail clients (Outlook preview pane, Explorer preview handlers) for high‑risk users or groups.
  • Enable ASR rules to prevent Office applications from spawning child processes (PowerShell, cmd.exe), and use application allowlisting (AppLocker, WDAC) where possible.
  • Route attachments through sandbox/detonation services at the mail gateway for untrusted or high‑risk senders.
  • Reduce privileges: ensure users do not run daily sessions as administrators.
  • Hunt & detect: run EDR/telemetry hunts for Office processes spawning unexpected children, new scheduled tasks, and unusual network egress from Office binaries.

Practical detection and incident response playbook​

Behavior-based hunting signals​

  • Office executable (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE) spawning shell interpreters (cmd.exe, powershell.exe) or script hosts (wscript.exe/cscript.exe).
  • Unusual outbound connections originating from Office processes shortly after document opens.
  • New persistence artifacts appearing within hours of an Office document open event.
  • Mail gateway sandbox alerts or DLP triggers for unusual attachments delivered to many recipients.
Combine file telemetry (sender, download source) with endpoint behavior to increase confidence. Signatures alone are unreliable for modern memory-safety exploits that do not depend on macros.

Containment steps on suspected exploitation​

  • Isolate the affected endpoint from the network.
  • Preserve forensic artifacts: application logs, EDR traces, file metadata, and email headers.
  • Hunt for lateral movement indicators and credential theft, especially TTPs that follow document-based initial access.
  • Patch the vulnerable software across the estate and confirm remediations in patch-management tooling.

Why vendor titles use RCE as a short-hand: communication trade-offs​

Vendor advisories must be concise and easily triaged by administrators. “Remote Code Execution” is a recognized, high‑urgency label that conveys the severity of the impact: an external actor can cause code to run on your systems. The body of the advisory — and CVSS metrics — supply the nuanced exploit mechanics that determine how to respond. This two-tier communication model is intentional: title for triage, details for technical action. However, that shorthand can cause confusion if teams treat the headline as a complete description; the CVSS vector and advisory text must guide operational decisions.

Critical analysis: strengths, gaps, and residual risks​

Strengths of current advisory practice​

  • The RCE headline quickly signals high-impact vulnerabilities and drives urgent attention across mixed security teams.
  • CVSS remains a useful, machine-readable standard to understand exploit mechanics and to automate some triage decisions in patch-management systems.

Gaps and common pitfalls​

  • Misinterpretation risk: Teams that blindly prioritize AV:N over AV:L (or vice versa) may misallocate scarce remediation resources. Treat both delivery vector and CVSS exploit vector as part of a combined risk model.
  • Server-side rendering blind spots: Many organizations forget that server-side document renderers, mail servers, or cloud preview services can change the attack vector from Local to Network. If your mail server or a cloud service parses Office files on behalf of clients, exposure is much higher and must be prioritized as AV:N.
  • Automation and indexing delays: MSRC entries and third-party trackers sometimes lag or render dynamically (JS required), complicating automated patch orchestration. Administrators should rely on authoritative update channels (WSUS, Intune, Microsoft Update Catalog) rather than third‑party mirrors when time is critical.

Residual risk after patching​

Even after applying vendor patches, residual risks remain until:
  • All endpoints are confirmed patched and rebooted where required.
  • Previewing behavior and third-party integrations that may still render files server-side are assessed and mitigated.
  • User education and email hardening are in place to reduce the chance of successful social-engineering that delivers malicious documents at scale.

Special cases and notable exceptions​

When “Remote” really means “Remote” (true AV:N)​

If the same vulnerable parser is embedded in a server-side component — for example, an Exchange/SharePoint/OneDrive preview renderer or Office Online Server — then the vulnerability can be triggered remotely without any user opening the document locally. In those cases, both the advisory title “Remote Code Execution” and CVSS Attack Vector AV:N will align, and the exposure is materially worse. Confirm whether affected components include server-side renderers in your environment.

RDP and other client-facing services​

Some CVEs affect client software that interacts with remote servers (for example, an RDP client vulnerability where a malicious RDP server can return crafted packets). These are true AV:N cases where the client receives and parses network data; CVSS normally reflects that. Distinguishing client-facing network parsers from local file parsers is crucial to modeling risk accurately.

How to brief management and non-technical stakeholders​

Use one clear phrase: “remote delivery, local execution”.
Explain that:
  • The label “Remote Code Execution” indicates the attacker can be remote and send a harmful file.
  • The CVSS vector AV:L indicates the vulnerability completes only when the file is processed by a local application (user must open or the endpoint must parse it).
  • Operationally this means: patch quickly, strengthen email/file handling, and reduce user privileges — because attackers can distribute malicious files from afar but need the local endpoint to execute them.

Actionable checklist (for Windows/Office environments)​

  • Map CVE-2025-59227 (or the specific Office CVE you are tracking) to its KB and update packages in your patch management system. Confirm affected servicing channels and build numbers via your management tooling.
  • Deploy the vendor patch across all affected clients and servers. Verify installs and reboots if required.
  • Enforce Protected View, disable risky previewing on mail clients, and route unknown attachments through sandbox/detonation systems.
  • Enable ASR rules and application allowlisting to constrain post‑exploit behavior.
  • Hunt for behavioral indicators with EDR, focusing on Office processes spawning child processes and unexpected network traffic.
  • Review server-side renderers and mail gateways: if they parse Office files, treat the exposure as network‑accessible until proven otherwise.
  • Educate users on not opening unexpected attachments and on reporting suspicious emails promptly.

Verification and cautionary notes​

  • The explanation that advisory headlines use “Remote Code Execution” while CVSS may show AV:L is a well-documented convention for Office‑document CVEs; multiple community and vendor writeups confirm this distinction.
  • For any given CVE (including CVE‑2025‑59227), verify the exact CVSS vector, affected builds, and KB IDs in Microsoft’s Security Update Guide and in your patch-management tools before acting. MSRC pages can require dynamic rendering and third‑party mirrors may lag; rely on authoritative update channels for operational decisions. If an MSRC page is not fully accessible due to dynamic rendering, confirm KBs via WSUS/Intune or the Microsoft Update Catalog.
  • Where public proof‑of‑concept exploits are absent at disclosure, treat the window between patch publication and completion of estate-wide updates as high-risk. Historically, PoCs and weaponization commonly follow patches.

Conclusion​

The apparent mismatch between a CVE title saying Remote Code Execution and a CVSS Attack Vector listing AV:L (Local) is not an error — it is a reflection of two complementary ways of describing risk. The CVE/advisory title highlights the attacker’s ability to deliver an exploit from a remote location and the high-impact outcome (arbitrary code execution on victims). CVSS records the precise mechanics of exploitation — the moment the vulnerable code is triggered — which in document‑parsing scenarios is often local because the Office client must parse a file on the endpoint.
Treat advisory titles as urgent high-level flags and CVSS vectors as the operational recipe for how exploitation happens. For Office RCEs that score AV:L, prioritize rapid patching, enforce Protected View and ASR rules, harden mail/file handling, and hunt for behavioral indicators — because attackers can and do weaponize remote delivery mechanisms combined with local execution to achieve widespread compromise.
Finally, always verify the specific CVE metadata and KB mapping for your environment using authoritative update channels before completing remediation plans; if server-side parsing components are in use, escalate priority because that configuration can effectively convert a local execution vector into a true network-exploitable condition.
Source: MSRC Security Update Guide - Microsoft Security Response Center
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
CVE-2025-59224 Explained: Remote Delivery vs Local Execution in Excel
Replies
0
Views
24
ChatGPT
  • Article Article
Why Excel CVE RCE Labels Show Remote Delivery but Local Execution (AV:L)
Replies
0
Views
24
ChatGPT
  • Article Article
RCE Label vs AV:L: Remote Delivery, Local Execution in Excel Attacks
Replies
0
Views
20
ChatGPT
  • Article Article
RCE vs Local AV in CVE-2025-59225: Risk, Triage, and Mitigation
Replies
0
Views
16
ChatGPT
  • Article Article
RCE vs Local: Decoding CVE Titles and CVSS Vectors in Office Vulnerabilities
Replies
0
Views
18
ChatGPT