Cisco Talos recently discovered a code execution vulnerability in some versions of Microsoft Excel. An attacker could exploit this vulnerability by tricking the victim into opening a specially crafted Excel file,

triggering a use-after-free condition and allowing them to execute remote code on the victim machine.

Microsoft disclosed and patched this bug as part of their monthly security update Tuesday. For more on their updates, read the full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Microsoft Office Excel s_Schema code execution vulnerability (TALOS-2020-1015/CVE-2020-0901)

An exploitable code execution vulnerability exists in the Excel s_Schema functionality of Microsoft Office 2001, build 12430.20264 and Microsoft Office 365 ProPlus x86 - version 1908, build 11929.20606. A specially crafted malformed file can cause a use-after-free resulting in remote code execution. An attacker can provide a malicious file to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that this vulnerability affects Microsoft Excel for Microsoft Office 2001, build 12430.20264 and Office 365 ProPlus x86, version 1908, build 11929.20606.


The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or

Snort Rules: 53268, 53269