Microsoft Patches Outlook Zero-Click RCE Vulnerability Exploited Via Email

Microsoft issued a critical security patch addressing a newly discovered vulnerability in Outlook, designated as CVE-2025-21298.

This flaw, characterized as a zero-click remote code execution (RCE) vulnerability, poses a significant risk to users by potentially allowing attackers to execute arbitrary code simply by sending a malicious email.

Vulnerability Details

CVE-2025-21298 arises from a “Use After Free” weakness (CWE-416), which can be exploited over a network with low complexity and no user interaction required.

- Advertisement -

The CVSS (Common Vulnerability Scoring System) score for this vulnerability stands at 9.8, indicating its critical severity.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The potential impact on confidentiality, integrity, and availability is rated high, further emphasizing the urgency for users to apply the patch.

While the vulnerability has not been publicly disclosed nor exploited at the time of the patch release, experts indicate that its exploitability is more likely, making it crucial for users to act swiftly.

Microsoft has confirmed the vulnerability and strongly advises users to update their systems without delay.

To mitigate the risks posed by CVE-2025-21298, Microsoft suggests several best practices:

1. Update Outlook: The primary defense is to install the official patch immediately. This update fixes the underlying vulnerability and protects against potential exploitation.
2. Email Viewing Settings: Users are encouraged to configure Microsoft Outlook to read email messages in plain text format. This setting reduces the risk of automatically executing malicious content embedded in rich text formats. For detailed guidance on setting up plain text email viewing, users can refer to Microsoft’s official documentation.
3. Caution with Attachments: Users should exercise caution when opening RTF files and other attachments from unknown or untrusted sources, as these can be vehicles for exploitation.

In light of CVE-2025-21298’s critical nature, all Outlook users are strongly urged to prioritize updating their software and adhering to the recommended safety practices.

By staying vigilant and proactive, users can significantly mitigate their risk of falling victim to this serious security threat and ensure their systems remain protected against potential exploits.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar