- A vulnerability in Microsoft Outlook allowed threat actors to distribute malware via email
- The bug abuses the Windows Object Linking and Embedding function
- A patch is already available, and users are advised to apply it ASAP
Microsoft has released a patch for a critical vulnerability that allowed threat actors to distribute malware through its Outlook email client – and given the severity of the flaw, users are advised to install the patch immediately.
In a security advisory, Microsoft detailed CVE-2025-21298, a use-after-free vulnerability with a severity score of 9.8/10 (critical). Use after free is a vulnerability in which threat actors are able to use previously freed memory, which allows them to corrupt valid data, or in this scenario – distributing malware remotely.
Located in the Windows Object Linking and Embedding (OLE) function, the bug means simply viewing a malicious email in the preview pane is enough to have the endpoint infected with malware. Windows OLE is a technology that allows embedding and linking to documents and other objects. For example, users could embed an Excel chart into a Word document, and updates in the Excel file will reflect in the Word document, if linked.
Specially crafted emails
“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim,” Microsoft explained in the advisory.
“Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email . This could result in the attacker executing remote code on the victim’s machine.”
For those that cannot apply the patch immediately, Microsoft suggests a number of mitigations, including viewing emails as plain text and, in large LAN networks, restricting NTLM traffic, or disabling it altogether. Viewing emails as plain text means other multimedia, such as images, animations, or different fonts, will not be displayed.
It’s worth the trouble, though, since the malware sent this way can cause severe business disruptions, loss of customers, and possibly even regulatory fines.
Via NotebookCheck