What is CVE-2025-66516? 

CVE-2025-66516 affects tika-core.jar version 2.4.1, a library used for parsing various document formats. The vulnerability is an XML External Entity (XXE) injection flaw that occurs specifically during PDF document parsing. Attackers could potentially exploit this vulnerability to read sensitive files or cause denial of service when malicious PDFs are processed.

Does it impact M365 Security Plus?    

There's no impact to M365 Security Plus. Here's why:

• M365 Security Plus does not parse PDFs: The application has no functionality that processes or parses PDF documents, eliminating the attack surface entirely.

• Additional layers of protection: M365 Security Plus includes web application firewall (WAF) rules that detect and block XXE injection attempts in any uploaded files.
  

Customer action required    

There's no action needed by M365 Security Plus customers. This vulnerability does not pose risk to M365 Security Plus deployments.

Conclusion    

• CVE-2025-66516 is not applicable to M365 Security Plus.

• The product does not use the PDF parsing functionality required to trigger the issue.

• Existing WAF protections further mitigate any potential risk.

We will continue to monitor and proactively assess any reported vulnerabilities to ensure the security of M365 Security Plus.