Table of Contents
- Which Microsoft Office security updates do I need for December 2025?
- Critical Security Action Plan: Microsoft Office Updates (December 2025)
- The “End of Support” Anomaly
- Priority Updates: Office 2016 (MSI / Volume License)
- Modern Office Architecture (Click-to-Run)
- Retail & Consumer Versions
- Enterprise Update Channels
- Volume Licensed Versions (LTSC)
- Server Infrastructure Updates
Which Microsoft Office security updates do I need for December 2025?
Critical Security Action Plan: Microsoft Office Updates (December 2025)
On December 9, 2025, Microsoft deployed essential security patches for the Office suite. These updates address critical vulnerabilities that attackers could exploit to take control of affected systems. System administrators and users must verify their patch status immediately.
The “End of Support” Anomaly
Microsoft Office 2016 and 2019 officially reached End of Support (EOS) in October 2025. Despite this, Microsoft released exception updates this December. Do not view this as a continuation of standard support. This is likely a final measure for critical threat mitigation.
Advisor Recommendation: If you manage legacy systems, you must transition immediately. You cannot rely on future patches from Microsoft. For organizations unable to upgrade hardware or software yet, third-party micropatching solutions like 0patch are now the primary defense line for Office 2016 and 2019 vulnerabilities.
Priority Updates: Office 2016 (MSI / Volume License)
The following updates apply to the Windows Installer (MSI) versions of Office 2016. These patches specifically target Remote Code Execution (RCE) vulnerabilities. RCE flaws allow attackers to run malicious commands on your computer if you open a compromised file.
Install these Knowledge Base (KB) articles immediately:
- Excel 2016: KB5002820
- Mitigates: Six distinct RCE vulnerabilities (CVE-2025-62556, CVE-2025-62564, CVE-2025-62563, CVE-2025-62561, CVE-2025-62560, CVE-2025-62553).
- Word 2016: KB5002806
- Mitigates: Four RCE vulnerabilities (CVE-2025-62559, CVE-2025-62558, CVE-2025-62555, CVE-2025-62562).
- Access 2016: KB5002812
- Mitigates: One RCE vulnerability (CVE-2025-62552).
- Office 2016 Core: KB5002819 & KB5002818
- Mitigates: Multiple core RCE flaws affecting the broader suite structure.
Modern Office Architecture (Click-to-Run)
Newer versions of Office (2019, 2021, 2024) and Microsoft 365 utilize Click-to-Run (C2R) technology. These versions do not require manual KB downloads. They update automatically through the internal Office Update function.
Ensure your deployment matches the specific Version and Build numbers listed below to confirm security:
Retail & Consumer Versions
- Current Channel: Version 2511 (Build 19426.20186)
- Office 2024 Retail: Version 2511 (Build 19426.20186)
- Office 2021 Retail: Version 2511 (Build 19426.20186)
Enterprise Update Channels
- Monthly Enterprise: Version 2510 (Build 19328.20266)
- Semi-Annual Enterprise: Version 2502 (Build 18526.20672)
Volume Licensed Versions (LTSC)
- Office LTSC 2024: Version 2408 (Build 17932.20620)
- Office LTSC 2021: Version 2108 (Build 14334.20440)
- Office 2019: Version 1808 (Build 10417.20080)
Server Infrastructure Updates
Microsoft also secured the backend infrastructure. Administrators managing SharePoint or Office Online Server must apply the following patches to prevent server-side compromise.
- SharePoint Server Subscription Edition: KB5002815
- SharePoint Server 2019: KB5002816 (Core) / KB5002802 (Language Pack)
- SharePoint Server 2016: KB5002821 (Enterprise) / KB5002804 (Language Pack)
- Office Online Server: KB5002817