Microsoft has addressed a critical vulnerability (CVE-2025-21298) in its latest 2025 Patch Tuesday update. This flaw, rated with a CVSS score of 9.8, allows attackers to achieve remote code execution (RCE) on Windows devices through a specially crafted email. The vulnerability affects Microsoft Outlook and has significant implications for email security.
The vulnerability lies in Windows Object Linking and Embedding (OLE), a technology enabling the embedding and linking of documents and other objects. As Microsoft explains, “Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email.” This exploitation scenario underscores the high-risk nature of the vulnerability.
Attackers exploit this vulnerability by sending a malicious email to the victim. If the email is opened or previewed in Microsoft Outlook, the embedded OLE object can trigger remote code execution on the victim’s machine. This type of attack requires no user interaction beyond viewing the email, making it particularly dangerous.
The CVE-2025-21298 vulnerability was discovered by researchers Jmini, Rotiple, and D4m0n with Trend Micro’s Zero Day Initiative.
Microsoft has provided several workarounds to mitigate the risks of exploitation for users who cannot immediately apply the patch:
- Read Emails in Plain Text Format: Configuring Microsoft Outlook to display emails in plain text format reduces the risk of triggering malicious OLE objects. However, this may impact usability, as rich content such as pictures and specialized fonts will no longer display correctly. For details on configuring Outlook to read all emails in plain text, refer to Microsoft’s documentation on Read email messages in plain text.
- Avoid RTF Files from Untrusted Sources: Users are advised to be cautious of emails containing Rich Text Format (RTF) attachments or content from unknown senders.
- Apply Principle of Least Privilege: Restrict user permissions to limit the impact of successful exploitation.
